Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) #5677

Merged
merged 1 commit into from
Sep 26, 2024
Merged

fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) #5677

merged 1 commit into from
Sep 26, 2024

Conversation

fabianszabo
Copy link

@fabianszabo fabianszabo commented Sep 24, 2024
edited
Loading

This PR contains:

  • bugfix
  • feature
  • refactor
  • documentation
  • other

Are tests included?

  • yes (bugfixes and features will not be merged without tests)
  • no

Breaking Changes?

  • yes (breaking changes will not be merged unless absolutely necessary)
  • no

List any relevant issue numbers:

Description

I am aware that the master branch is not where this PR should be merged into. But at the moment there is no backports-rollup-2. Could someone create the branch please? I'd reopen the PR then.

Should be exactly the same as this:

It would be great to backport this to version 2 for workbox:

@vercel Vercel
Copy link

vercel bot commented Sep 24, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
rollup ❌ Failed (Inspect) Sep 24, 2024 2:45pm

@fabianszabo fabianszabo changed the title fix: resolve DOM Clobbering CVE-2024-43788 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) Sep 24, 2024
@mhassan1
Copy link

@lukastaegert Is there a chance this patch for Rollup 2 will be released?

@lukastaegert
Copy link
Member

I will give it a shot

@lukastaegert lukastaegert changed the base branch from master to backports-rollup-2 September 26, 2024 18:12
@lukastaegert lukastaegert merged commit 48aef33 into rollup:backports-rollup-2 Sep 26, 2024
4 of 5 checks passed
@lukastaegert
Copy link
Member

Ok, it is merged and released. I also updated the security advisory, but I am not sure if there is some process to update the fix versions in the CVE and in the Node database.

@Tofandel
Copy link

Tofandel commented Sep 27, 2024
edited
Loading

Wow, isn't it crazy that html allows setting anything on document via the name attribute of img and object?

I mean I can do <img name="body"> and now document.body becomes the img pretty crazy

They should really have been hidden behind something like document.getElementByName()

@fabiosantoscode
Copy link

Thank you very much for this backport! I intend to support unholy node.js environments, so I'm not ready to drop support for node 10 so soon.

@ankon
Copy link

ankon commented Oct 29, 2024

Thanks for merging this!

Could you also create a changelog entry and "release" in github for this, so that the dependabot updates triggered by this release come with a good explanation?

@lukastaegert
Copy link
Member

Done at last

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chintan-ladani-coherent chintan-ladani-coherent chintan-ladani-coherent approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@fabianszabo @mhassan1 @lukastaegert @Tofandel @fabiosantoscode @ankon @chintan-ladani-coherent