PR-staging RTC

Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
5 May 2020

The recently released JQuery 3.5.x has fixed two XSS issues. As we can't upgrade to a newer jQuery version in 3.x for BC reasons, the security team suggest to manually patch our jQuery.

As this change might have unexpected b/c implications and the vulnerability already is public and well documented, I'm opening this ticket on the public tracker.

Summary of Changes

Backported jQuery 3.5 security fixes.

Testing Instructions

Apply patch, browse various parts of the site and make sure that no JS errors show up in the browser console.

avatar SniperSister SniperSister - open - 5 May 2020
avatar SniperSister SniperSister - change - 5 May 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 5 May 2020
Category JavaScript
avatar SniperSister SniperSister - change - 5 May 2020
Title
Backport jQuery 3.5 security fixes
[3.x] Backport jQuery 3.5 security fixes
avatar SniperSister SniperSister - edited - 5 May 2020
avatar SniperSister
SniperSister - comment - 6 May 2020

There's a potential breaking change in the handling of self-closing tags, see:
https://jquery.com/upgrade-guide/3.5/

avatar wilsonge
wilsonge - comment - 8 May 2020

I assume backporting the associated jQuery Migrate fix is beyond us? Because if so we need to really scream about this in the release notes and ideally on social media to extension devs too

avatar SniperSister
SniperSister - comment - 9 May 2020

If I understand the JQuery notes correctly, the backport of the compatibility layer re-introduces the issue.

avatar zero-24
zero-24 - comment - 11 May 2020

I have just navigated the backend with latest Chrome, Edge and IE11 and also the emulated IE9. Is there anything special we should test here? Do we even use that function patched in core?

avatar SniperSister
SniperSister - comment - 11 May 2020

Do we even use that function patched in core?

That function is used everywhere because it's part of the DOM manipulation library

avatar SniperSister SniperSister - change - 22 May 2020
Labels Added: PR-staging
avatar SniperSister
SniperSister - comment - 22 May 2020

@wilsonge I have updated the PR with the "pre-fix-behavior" backport that Drupal published

avatar zero-24 zero-24 - test_item - 23 May 2020 - Tested successfully
avatar zero-24
zero-24 - comment - 23 May 2020

I have tested this item successfully on 4be8cd7

As mention in the Testing Instructions i have applied the patch, navigated the backend and have not noticed any error message form the browser console. Thanks @SniperSister


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.

avatar pmleconte pmleconte - test_item - 24 May 2020 - Tested successfully
avatar pmleconte
pmleconte - comment - 24 May 2020

I have tested this item successfully on 4be8cd7

Just tested it using Chrome.

I did not see any difference front-end/back-end in browser console.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.

avatar Quy Quy - change - 24 May 2020
Status Pending Ready to Commit
avatar Quy
Quy - comment - 24 May 2020

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.

avatar HLeithner
HLeithner - comment - 25 May 2020

Awesome job thanks

avatar HLeithner HLeithner - change - 25 May 2020
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-05-25 08:09:56
Closed_By HLeithner
Labels Added: RTC
avatar HLeithner HLeithner - close - 25 May 2020
avatar HLeithner HLeithner - merge - 25 May 2020
avatar Webmaster-2020
Webmaster-2020 - comment - 4 Jun 2020

Is it normal to still have old version of jQuery after 3.9.19 update ?

Thank's

avatar pmleconte
pmleconte - comment - 4 Jun 2020

Bonjour,

En anglais SVP. Messages should be written in english.
Is it normal to still have old version of jQuery after 3.9.19 update ?

The answer is Yes. If you take a look at the header of media/jui/js/jquery.js file, you'll find a comment talking about CVE-2020-11022 which is "the patch".

Jquery version is now v1.12.4-joomla.

avatar Webmaster-2020
Webmaster-2020 - comment - 5 Jun 2020

@pmleconte
thank you very much for your answer.

Add a Comment

Login with GitHub to post a comment