Skip to content
Permalink
Browse files

[2.1.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec522 from master.
  • Loading branch information...
carltongibson committed May 27, 2019
1 parent 09186a1 commit 95649bc08547a878cebfa1d019edec8cb1b80829
@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Large diffs are not rendered by default.

@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

0 comments on commit 95649bc

Please sign in to comment.
You can’t perform that action at this time.