From: James D. Forrester <jforrester@wikimedia.org>
Date: Thu, 25 Apr 2019 21:12:52 +0000 (-0500)
Subject: SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358
X-Git-Tag: 1.34.0-rc.0~1500^2
X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=75e473005d666b1675404305aab154474216dce2

SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

Patch taken from https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
and left in-repo. Note that this will break the foreign resources check,
which is not currently a unit test but was planned to become such soon.

Bug: T221739
Change-Id: I99c2be81c74a8f1d35c421f0ee43c75efb30a7d0
---

diff --git a/resources/lib/jquery/jquery-3.3.1.patch b/resources/lib/jquery/jquery-3.3.1.patch
new file mode 100644
index 0000000000..68a4326d17
--- /dev/null
+++ b/resources/lib/jquery/jquery-3.3.1.patch
@@ -0,0 +1,14 @@
+--- jquery-3.3.1.js	2019-04-01 08:39:29.000000000 +0200
++++ jquery-3.3.1.js	2019-04-01 09:02:39.000000000 +0200
+@@ -260,8 +260,9 @@ jQuery.extend = jQuery.fn.extend = function() {
+ 			for ( name in options ) {
+				src = target[ name ];
+ 				copy = options[ name ];
+ 
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
diff --git a/resources/lib/jquery/jquery.js b/resources/lib/jquery/jquery.js
index 9b5206bcc6..34a5703d80 100644
--- a/resources/lib/jquery/jquery.js
+++ b/resources/lib/jquery/jquery.js
@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}