[2.1.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec52269a from master.
2019-05-27 11:07:46 +02:00 · 2019-05-27 11:07:46 +02:00 · 95649bc085
parent 09186a13d9
commit 95649bc085
3 changed files with 14 additions and 2 deletions
--- a/django/contrib/admin/static/admin/js/vendor/jquery/jquery.js
+++ b/django/contrib/admin/static/admin/js/vendor/jquery/jquery.js
@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];

+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

--- a/django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js
+++ b/django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js
--- a/docs/releases/2.1.9.txt
+++ b/docs/releases/2.1.9.txt
@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.