[2.1.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec52269a from master.
This commit is contained in:
Carlton Gibson 2019-05-27 11:07:46 +02:00
parent 09186a13d9
commit 95649bc085
3 changed files with 14 additions and 2 deletions

View File

@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];
// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

File diff suppressed because one or more lines are too long

View File

@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.
The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.