Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug/19702 bbq.js proto secure #4563

Merged
merged 8 commits into from
Oct 14, 2024
Merged

Bug/19702 bbq.js proto secure #4563

merged 8 commits into from
Oct 14, 2024

Conversation

kevin-foster-uk
Copy link
Contributor

@kevin-foster-uk kevin-foster-uk commented Sep 9, 2024
edited
Loading

This PR fixes a security issue reported to LimeSurvey (https://bugs.limesurvey.org/view.php?id=19702).

We have patched jquery-bbq.js to prevent injection of proto.

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Tests pass? ❌ (tests are failing but its not related to this PR)

Arhell
Arhell reviewed Sep 10, 2024
View reviewed changes
Copy link
Member

@Arhell Arhell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marcovtwout

marcovtwout
marcovtwout requested changes Sep 16, 2024
View reviewed changes
Copy link
Member

@marcovtwout marcovtwout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The LimeSurvey link is not available without logging in. Is there a public version?

The source change looks good but there are some points to address.

framework/web/js/source/jquery.ba-bbq.js Outdated Show resolved Hide resolved
framework/web/js/source/jquery.ba-bbq.js Show resolved Hide resolved
framework/web/js/source/jquery.ba-bbq.min.js Outdated Show resolved Hide resolved
@kevin-foster-uk
Copy link
Contributor Author

kevin-foster-uk commented Sep 18, 2024
edited
Loading

The LimeSurvey link is not available without logging in. Is there a public version?

The source change looks good but there are some points to address.

Login is required but it is open for anyone to create an account. You just need to provide a username and email address.

@marcovtwout
Copy link
Member

marcovtwout commented Sep 18, 2024
edited
Loading

I checked the upstream project where this issue was also found, but never fixed fully. For the sake of any other projects using jquery-bbq, I suggest to share your solution upstream also.

Links:

Other noteworthy info:

@marcovtwout
Copy link
Member

marcovtwout commented Oct 3, 2024
edited
Loading

@kevin-foster-uk could you look at the above? When this PR is done I can prepare a new yii release.

@kevin-foster-uk
Copy link
Contributor Author

@kevin-foster-uk could you look at the above? When this PR is done I can prepare a new yii release.

Sorry for the delay I have been on vacation. Will update asap.

@marcovtwout marcovtwout merged commit 907bba0 into yiisoft:master Oct 14, 2024
13 checks passed
@marcovtwout
Copy link
Member

Thanks! I'll update the CHANGELOG on master.

@marcovtwout marcovtwout mentioned this pull request Oct 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arhell Arhell Arhell left review comments

@rob006 rob006 rob006 left review comments

@marcovtwout marcovtwout marcovtwout approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kevin-foster-uk @marcovtwout @rob006 @Arhell