RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad below:

[2.2.x] Applied jQuery patch for CVE-2019-11358. · django/django@baaf187 · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+25

-2

lines changed

Filter options

django/contrib/admin/static/admin/js/vendor/jquery

Expand file treeCollapse file tree 4 files changed

+25

-2

lines changed Original file line number Diff line number Diff line change


 @@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {

261 261


 src = target[ name ];

262 262


 copy = options[ name ];

263 263 264

+
 // Prevent Object.prototype pollution

264 265


 // Prevent never-ending loop

265

-
 if ( target === copy ) {

266

+
 if ( name === "__proto__" || target === copy ) {

266 267


 continue;

267 268

268 269 Original file line number Diff line number Diff line change


 @@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.

19 19


 link. You may customise the validator by passing a ``validator_class`` kwarg to

20 20


 ``AdminURLFieldWidget.__init__()``, e.g. when using

21 21


 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

22 + 23

+
 Patched bundled jQuery for CVE-2019-11358: Prototype pollution

24

+
 --------------------------------------------------------------

25 + 26

+
 jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of

27

+
 ``Object.prototype`` pollution. If an unsanitized source object contained an

28

+
 enumerable ``__proto__`` property, it could extend the native

29

+
 ``Object.prototype``.

30 + 31

+
 The bundled version of jQuery used by the Django admin has been patched to

32

+
 allow for the ``select2`` library's use of ``jQuery.extend()``.

Original file line number Diff line number Diff line change


 @@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to

20 20


 ``AdminURLFieldWidget.__init__()``, e.g. when using

21 21


 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

22 22 23

+
 Patched bundled jQuery for CVE-2019-11358: Prototype pollution

24

+
 --------------------------------------------------------------

25 + 26

+
 jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of

27

+
 ``Object.prototype`` pollution. If an unsanitized source object contained an

28

+
 enumerable ``__proto__`` property, it could extend the native

29

+
 ``Object.prototype``.

30 + 31

+
 The bundled version of jQuery used by the Django admin has been patched to

32

+
 allow for the ``select2`` library's use of ``jQuery.extend()``.

33 + 23 34


 Bugfixes

24 35


 ========

25 36

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4