🔒️ fix CVE-2019-11358

ctcpip · ctcpip · commit ab024c1499bf · 2023-12-11T15:41:51.000-06:00
diff --git a/build/post-compile.js b/build/post-compile.js
@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-var print = require( "sys" ).print,
+var print = console.log,
 	fs = require( "fs" ),
 	src = fs.readFileSync( process.argv[2], "utf8" ),
 	version = fs.readFileSync( "version.txt", "utf8" ),
diff --git a/jquery.js b/jquery.js
@@ -11,7 +11,7 @@
  * Copyright 2011, The Dojo Foundation
  * Released under the MIT, BSD, and GPL Licenses.
  *
- * Date: Wed Feb 12 09:58:38 2014 -0800
+ * Date: Mon Dec 11 15:34:47 2023 -0600
  */
 (function( window, undefined ) {
 
@@ -38,7 +38,8 @@ var jQuery = function( selector, context ) {
 
 	// A simple way to check for HTML strings or ID strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Strict HTML recognition (#11290: must start with <)
+	quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/, // jslint ignore:line
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
@@ -357,8 +358,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
diff --git a/src/core.js b/src/core.js
@@ -337,8 +337,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
diff --git a/test/unit/core.js b/test/unit/core.js
@@ -854,6 +854,13 @@ test("jQuery.extend(Object, Object)", function() {
 	same( options2, options2Copy, "Check if not modified: options2 must not be modified" );
 });
 
+QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
+	assert.expect( 1 );
+
+	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
+	assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
+} );
+
 test("jQuery.each(Object,Function)", function() {
 	expect(14);
 	jQuery.each( [0,1,2], function(i, n){

Original file line number	Diff line number	Diff line change
`@@ -337,8 +337,9 @@ jQuery.extend = jQuery.fn.extend = function() {`
`337`	`337`	`src = target[ name ];`
`338`	`338`	`copy = options[ name ];`
`339`	`339`
	`340`	`+ // Prevent Object.prototype pollution`
`340`	`341`	`// Prevent never-ending loop`
`341`		`- if ( target === copy ) {`
	`342`	`+ if ( name === "__proto__" \|\| target === copy ) {`
`342`	`343`	`continue;`
`343`	`344`	`}`
`344`	`345`