Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Bump Handlebars to version 4.1.2 

WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server.
This commit is contained in:
Penar Musaraj 2019-06-05 13:54:52 -04:00
parent d902c4eb9f
commit f0e73cb126
4 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@ -12,7 +12,7 @@
"bootstrap": "v3.4.1",
"chart.js": "2.7.3",
"favcount": "https://github.com/chrishunt/favcount",
"handlebars": "^4.1.1",
"handlebars": "^4.1.2",
"highlight.js": "https://github.com/highlightjs/highlight.js",
"htmlparser": "https://github.com/tautologistics/node-htmlparser",
"intersection-observer": "^0.5.1",

12
vendor/assets/javascripts/handlebars.js vendored
View File

@ -1,7 +1,7 @@
/**!
@license
handlebars v4.1.1
handlebars v4.1.2
Copyright (C) 2011-2017 by Yehuda Katz
@ -275,7 +275,7 @@ return /******/ (function(modules) { // webpackBootstrap
var _logger2 = _interopRequireDefault(_logger);
var VERSION = '4.1.1';
var VERSION = '4.1.2';
exports.VERSION = VERSION;
var COMPILER_REVISION = 7;
@ -868,7 +868,13 @@ return /******/ (function(modules) { // webpackBootstrap
exports['default'] = function (instance) {
instance.registerHelper('lookup', function (obj, field) {
return obj && obj[field];
if (!obj) {
return obj;
}
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
return undefined;
}
return obj[field];
});
};

12
vendor/assets/javascripts/handlebars.runtime.js vendored
View File

@ -1,7 +1,7 @@
/**!
@license
handlebars v4.1.1
handlebars v4.1.2
Copyright (C) 2011-2017 by Yehuda Katz
@ -207,7 +207,7 @@ return /******/ (function(modules) { // webpackBootstrap
var _logger2 = _interopRequireDefault(_logger);
var VERSION = '4.1.1';
var VERSION = '4.1.2';
exports.VERSION = VERSION;
var COMPILER_REVISION = 7;
@ -800,7 +800,13 @@ return /******/ (function(modules) { // webpackBootstrap
exports['default'] = function (instance) {
instance.registerHelper('lookup', function (obj, field) {
return obj && obj[field];
if (!obj) {
return obj;
}
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
return undefined;
}
return obj[field];
});
};

8
yarn.lock
View File

@ -1051,10 +1051,10 @@ graceful-fs@^4.1.2:
resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.1.15.tgz#ffb703e1066e8a0eeaa4c8b80ba9253eeefbfb00"
integrity sha512-6uHUhOPEBgQ24HM+r6b/QwWfZq+yiFcipKFrOFiBEnWdy5sdzYoi+pJeQaPI5qOLRFqWmAXUPQNsielzdLoecA==
handlebars@^4.1.1:
version "4.1.1"
resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.1.tgz#6e4e41c18ebe7719ae4d38e5aca3d32fa3dd23d3"
integrity sha512-3Zhi6C0euYZL5sM0Zcy7lInLXKQ+YLcF/olbN010mzGQ4XVm50JeyBnMqofHh696GrciGruC7kCcApPDJvVgwA==
handlebars@^4.1.2:
version "4.1.2"
resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.2.tgz#b6b37c1ced0306b221e094fc7aca3ec23b131b67"
integrity sha512-nvfrjqvt9xQ8Z/w0ijewdD/vvWDTOweBUm96NTr66Wfvo1mJenBLwcYmPs3TIBP5ruzYGD7Hx/DaM9RmhroGPw==
dependencies:
neo-async "^2.6.0"
optimist "^0.6.1"