Commit d2f26902 authored by xjm's avatar xjm

SA-CORE-2019-006 by effulgentsia, lauriii, larowlan, xjm, greggles, drumm, dtv_rb, samuel.mortenson

parent c2cae51e
/**
* For jQuery versions less than 3.4.0, this replaces the jQuery.extend
* function with the one from jQuery 3.4.0, slightly modified (documented
* below) to be compatible with older jQuery versions and browsers.
*
* This provides the Object.prototype pollution vulnerability fix to Drupal
* installations running older jQuery versions, including the versions shipped
* with Drupal core and https://www.drupal.org/project/jquery_update.
*
* @see https://github.com/jquery/jquery/pull/4333
*/
(function (jQuery) {
// Do not override jQuery.extend() if the jQuery version is already >=3.4.0.
var versionParts = jQuery.fn.jquery.split('.');
var majorVersion = parseInt(versionParts[0]);
var minorVersion = parseInt(versionParts[1]);
var patchVersion = parseInt(versionParts[2]);
var isPreReleaseVersion = (patchVersion.toString() !== versionParts[2]);
if (
(majorVersion > 3) ||
(majorVersion === 3 && minorVersion > 4) ||
(majorVersion === 3 && minorVersion === 4 && patchVersion > 0) ||
(majorVersion === 3 && minorVersion === 4 && patchVersion === 0 && !isPreReleaseVersion)
) {
return;
}
/**
* This is almost verbatim copied from jQuery 3.4.0.
*
* Only two minor changes have been made:
* - The call to isFunction() is changed to jQuery.isFunction().
* - The two calls to Array.isArray() is changed to jQuery.isArray().
*
* The above two changes ensure compatibility with all older jQuery versions
* (1.4.4 - 3.3.1) and older browser versions (e.g., IE8).
*/
jQuery.extend = jQuery.fn.extend = function() {
var options, name, src, copy, copyIsArray, clone,
target = arguments[ 0 ] || {},
i = 1,
length = arguments.length,
deep = false;
// Handle a deep copy situation
if ( typeof target === "boolean" ) {
deep = target;
// Skip the boolean and the target
target = arguments[ i ] || {};
i++;
}
// Handle case when target is a string or something (possible in deep copy)
if ( typeof target !== "object" && !jQuery.isFunction( target ) ) {
target = {};
}
// Extend jQuery itself if only one argument is passed
if ( i === length ) {
target = this;
i--;
}
for ( ; i < length; i++ ) {
// Only deal with non-null/undefined values
if ( ( options = arguments[ i ] ) != null ) {
// Extend the base object
for ( name in options ) {
copy = options[ name ];
// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( name === "__proto__" || target === copy ) {
continue;
}
// Recurse if we're merging plain objects or arrays
if ( deep && copy && ( jQuery.isPlainObject( copy ) ||
( copyIsArray = jQuery.isArray( copy ) ) ) ) {
src = target[ name ];
// Ensure proper type for the source value
if ( copyIsArray && !jQuery.isArray( src ) ) {
clone = [];
} else if ( !copyIsArray && !jQuery.isPlainObject( src ) ) {
clone = {};
} else {
clone = src;
}
copyIsArray = false;
// Never move original objects, clone them
target[ name ] = jQuery.extend( deep, clone, copy );
// Don't bring in undefined values
} else if ( copy !== undefined ) {
target[ name ] = copy;
}
}
}
}
// Return the modified object
return target;
};
})(jQuery);
......@@ -3285,6 +3285,13 @@ function system_update_7081() {
->execute();
}
/**
* Add 'jquery-extend-3.4.0.js' to the 'jquery' library.
*/
function system_update_7082() {
// Empty update to force a rebuild of hook_library() and JS aggregates.
}
/**
* @} End of "defgroup updates-7.x-extra".
* The next series of updates should start at 8000.
......
......@@ -1182,6 +1182,9 @@ function system_library() {
'version' => '1.4.4',
'js' => array(
'misc/jquery.js' => array('group' => JS_LIBRARY, 'weight' => -20),
// This includes a security fix, so assign a weight that makes this load
// as soon after jquery.js is loaded as possible.
'misc/jquery-extend-3.4.0.js' => array('group' => JS_LIBRARY, 'weight' => -19),
),
);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment