p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[2.1.x] Applied jQuery patch for CVE-2019-11358. 

Backport of 34ec52269a from master.
This commit is contained in:
Carlton Gibson 2019-05-27 11:07:46 +02:00
parent 09186a13d9
commit 95649bc085
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
django/contrib/admin/static/admin/js/vendor/jquery/jquery.js vendored
View File

@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ]; src = target[ name ];
copy = options[ name ]; copy = options[ name ];
// Prevent Object.prototype pollution
// Prevent never-ending loop // Prevent never-ending loop
if ( target === copy ) { if ( name === "__proto__" || target === copy ) {
continue; continue;
} }

2
django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js vendored
View File

File diff suppressed because one or more lines are too long

11
docs/releases/2.1.9.txt
View File

@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
link. You may customise the validator by passing a ``validator_class`` kwarg to link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using ``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.
The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.