From: James D. Forrester <jforrester@wikimedia.org>
Date: Thu, 25 Apr 2019 21:12:52 +0000 (-0500)
Subject: SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358
X-Git-Tag: 1.31.2~2
X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=a3fc6fc46934c546e109ec1db52f61df1bf935b7;hp=2aeede8f4c56209e0ea786d23d4c809a9d8f34d6

SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

Patch taken from https://github.com/DanielRuf/snyk-js-jquery-174006?files=1.

Bug: T221739
Change-Id: I99c2be81c74a8f1d35c421f0ee43c75efb30a7d0
---

diff --git a/resources/lib/jquery/jquery.js b/resources/lib/jquery/jquery.js
index d2d8ca4790..2cf479de85 100644
--- a/resources/lib/jquery/jquery.js
+++ b/resources/lib/jquery/jquery.js
@@ -229,8 +229,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}