From 0d9f41e2dd04ee85df91042d7c7ca0e63b9c9d6a Mon Sep 17 00:00:00 2001
From: Lucas Galfaso <lgalfaso@gmail.com>
Date: Sun, 13 Sep 2015 14:10:49 +0200
Subject: [PATCH] fix($parse): throw error when accessing a restricted property
 indirectly

When accessing an instance thru a computed member and the property is an array,
then also check the string value of the array.
---
 src/ng/parse.js      |  1 +
 test/ng/parseSpec.js | 24 ++++++++++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/ng/parse.js b/src/ng/parse.js
index af07fce51630..18d13543a0c8 100644
--- a/src/ng/parse.js
+++ b/src/ng/parse.js
@@ -38,6 +38,7 @@ var $parseMinErr = minErr('$parse');
 
 
 function ensureSafeMemberName(name, fullExpression) {
+  name =  (isObject(name) && name.toString) ? name.toString() : name;
   if (name === "__defineGetter__" || name === "__defineSetter__"
       || name === "__lookupGetter__" || name === "__lookupSetter__"
       || name === "__proto__") {
diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
index 5fef35eec346..5b477b464947 100644
--- a/test/ng/parseSpec.js
+++ b/test/ng/parseSpec.js
@@ -1679,12 +1679,10 @@ describe('parser', function() {
   forEach([true, false], function(cspEnabled) {
     describe('csp: ' + cspEnabled, function() {
 
-      beforeEach(module(function($provide) {
-        $provide.decorator('$sniffer', function($delegate) {
-          expect($delegate.csp.noUnsafeEval === true ||
-                 $delegate.csp.noUnsafeEval === false).toEqual(true);
-          $delegate.csp.noUnsafeEval = cspEnabled;
-        });
+      beforeEach(module(function() {
+        expect(csp().noUnsafeEval === true ||
+               csp().noUnsafeEval === false).toEqual(true);
+        csp().noUnsafeEval = cspEnabled;
       }, provideLog));
 
       beforeEach(inject(function($rootScope) {
@@ -2669,6 +2667,20 @@ describe('parser', function() {
               scope.$eval('{}["__proto__"].foo = 1');
             }).toThrowMinErr('$parse', 'isecfld');
 
+            expect(function() {
+              scope.$eval('{}[["__proto__"]]');
+            }).toThrowMinErr('$parse', 'isecfld');
+            expect(function() {
+              scope.$eval('{}[["__proto__"]].foo = 1');
+            }).toThrowMinErr('$parse', 'isecfld');
+
+            expect(function() {
+              scope.$eval('0[["__proto__"]]');
+            }).toThrowMinErr('$parse', 'isecfld');
+            expect(function() {
+              scope.$eval('0[["__proto__"]].foo = 1');
+            }).toThrowMinErr('$parse', 'isecfld');
+
             scope.a = "__pro";
             scope.b = "to__";
             expect(function() {