8000 [2.2.x] Applied jQuery patch for CVE-2019-11358. · django/django@baaf187 · GitHub
[go: up one dir, main page]
Skip to content

Commit baaf187

Browse files
carltongibsoncarltongibson
committed
[2.2.x] Applied jQuery patch for CVE-2019-11358.
Backport of 34ec522 from master.
1 parent afddabf commit baaf187

File tree

4 files changed

+25
-2
lines changed

4 files changed

+25
-2
lines changed

django/contrib/admin/static/admin/js/vendor/jquery/jquery.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
261261
src = target[ name ];
262262
copy = options[ name ];
263263

264+
// Prevent Object.prototype pollution
264265
// Prevent never-ending loop
265-
if ( target === copy ) {
266+
if ( name === "__proto__" || target === copy ) {
266267
continue;
267268
}
268269

django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/releases/2.1.9.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
1919
link. You may customise the validator by passing a ``validator_class`` kwarg to
2020
``AdminURLFieldWidget.__init__()``, e.g. when using
2121
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
22+
23+
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
24+
--------------------------------------------------------------
25+
26+
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
27+
``Object.prototype`` pollution. If an unsanitized source object contained an
28+
enumerable ``__proto__`` property, it could extend the native
29+
``Object.prototype``.
30+
31+
The bundled version of jQuery used by the Django admin has been patched to
32+
allow for the ``select2`` library's use of ``jQuery.extend()``.

docs/releases/2.2.2.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to
2020
``AdminURLFieldWidget.__init__()``, e.g. when using
2121
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
2222

23+
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
24+
--------------------------------------------------------------
25+
26+
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
27+
``Object.prototype`` pollution. If an unsanitized source object contained an
28+
enumerable ``__proto__`` property, it could extend the native
29+
``Object.prototype``.
30+
31+
The bundled version of jQuery used by the Django admin has been patched to
32+
allow for the ``select2`` library's use of ``jQuery.extend()``.
33+
2334
Bugfixes
2435
========
2536

0 commit comments

Comments
 (0)
0