Skip to content

Bug/19702 bbq.js proto secure#4563

Merged
marcovtwout merged 8 commits intoyiisoft:masterfrom
LimeSurvey:bug/19702_bbqjs-proto-secure
Oct 14, 2024
Merged

Bug/19702 bbq.js proto secure#4563
marcovtwout merged 8 commits intoyiisoft:masterfrom
LimeSurvey:bug/19702_bbqjs-proto-secure

Conversation

@kevin-foster-uk
Copy link
Contributor

@kevin-foster-uk kevin-foster-uk commented Sep 9, 2024
edited
Loading

This PR fixes a security issue reported to LimeSurvey (https://bugs.limesurvey.org/view.php?id=19702).

We have patched jquery-bbq.js to prevent injection of proto.

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Tests pass? ❌ (tests are failing but its not related to this PR)

Arhell
Arhell reviewed Sep 10, 2024
View reviewed changes
Copy link
Member

@Arhell Arhell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marcovtwout

marcovtwout
marcovtwout requested changes Sep 16, 2024
View reviewed changes
Copy link
Member

@marcovtwout marcovtwout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The LimeSurvey link is not available without logging in. Is there a public version?

The source change looks good but there are some points to address.

@kevin-foster-uk
Copy link
Contributor Author

kevin-foster-uk commented Sep 18, 2024
edited
Loading

The LimeSurvey link is not available without logging in. Is there a public version?

The source change looks good but there are some points to address.

Login is required but it is open for anyone to create an account. You just need to provide a username and email address.

@marcovtwout
Copy link
Member

marcovtwout commented Sep 18, 2024
edited
Loading

I checked the upstream project where this issue was also found, but never fixed fully. For the sake of any other projects using jquery-bbq, I suggest to share your solution upstream also.

Links:

Other noteworthy info:

marcovtwout
marcovtwout requested changes Sep 18, 2024
View reviewed changes
marcovtwout
marcovtwout reviewed Sep 18, 2024
View reviewed changes
@marcovtwout
Copy link
Member

marcovtwout commented Oct 3, 2024
edited
Loading

@kevin-foster-uk could you look at the above? When this PR is done I can prepare a new yii release.

@kevin-foster-uk
Copy link
Contributor Author

kevin-foster-uk commented Oct 4, 2024

@kevin-foster-uk could you look at the above? When this PR is done I can prepare a new yii release.

Sorry for the delay I have been on vacation. Will update asap.

@marcovtwout marcovtwout merged commit 907bba0 into yiisoft:master Oct 14, 2024
@marcovtwout
Copy link
Member

marcovtwout commented Oct 14, 2024

Thanks! I'll update the CHANGELOG on master.

@marcovtwout marcovtwout mentioned this pull request Oct 28, 2024
Closed
@kevin-foster-uk kevin-foster-uk deleted the bug/19702_bbqjs-proto-secure branch November 11, 2024 10:29
@marcovtwout marcovtwout mentioned this pull request Dec 9, 2024
Closed
@herbdool herbdool mentioned this pull request Aug 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcovtwout marcovtwout marcovtwout approved these changes

+2 more reviewers

@rob006 rob006 rob006 left review comments

@Arhell Arhell Arhell left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kevin-foster-uk @marcovtwout @rob006 @Arhell