[2.2.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec52269a from master.
This commit is contained in:
Carlton Gibson 2019-05-27 11:07:46 +02:00
parent afddabf842
commit baaf187a4e
4 changed files with 25 additions and 2 deletions

View File

@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ]; src = target[ name ];
copy = options[ name ]; copy = options[ name ];
// Prevent Object.prototype pollution
// Prevent never-ending loop // Prevent never-ending loop
if ( target === copy ) { if ( name === "__proto__" || target === copy ) {
continue; continue;
} }

File diff suppressed because one or more lines are too long

View File

@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
link. You may customise the validator by passing a ``validator_class`` kwarg to link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using ``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.
The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

View File

@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using ``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------
jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.
The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.
Bugfixes Bugfixes
======== ========