Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport security fixes to 3.x branch #1532

Merged
merged 5 commits into from
Jun 29, 2019
Merged

Backport security fixes to 3.x branch #1532

merged 5 commits into from
Jun 29, 2019

Conversation

mattolson
Copy link

@mattolson mattolson commented Jun 29, 2019
edited
Loading

Backport the security fixes from 4.1.0 and 4.1.2 to the 3.x branch.

Other edits needed to get tests working on 3.x branch:

  • Fix Windows build by cherry picking 5b76f04 and b02e9a2 and 6e6269f
  • Fix git tag retrieval so it will work on non-master branch (this affected Travis release build)

mattolson and others added 4 commits June 28, 2019 23:12
@mattolson
Backport security fixes to 3.x branch
de6ded4
@nknapp @mattolson
Fix build on Windows
47adcda 
- Handle path-separators properly. Use "path.sep" instead of "/".
  Or use "require.resolve()" if possible
- Use "execFile" instead of "exec" to run the Handlebars executable.
  This prevents problems due to (missing) shell escaping.
- Use explicit call to "node" in order to run the executable on Windows.
- Add "appveyor"-CI in order to run regular tests on Windows.
@nknapp @mattolson
test: run appveyor tests in Node 10
420ac17
@mattolson
Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul
7820b20 
Due to the way, "bin"-files are distributed into the node_modules/.bin
directory on Windows, the task "test:cov" did not work on Windows.
This commit uses the node-script directly.
@mattolson mattolson mentioned this pull request Jun 29, 2019
Merged
@mattolson
Copy link
Author

@nknapp Can you take a look?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019
edited
Loading

Hello @mattolson, first of all, thanks for this PR. I think it looks good.
I'm not sure why the "--always" is now necessary. It never was a problem on the 4.x branch. But it seems to do no harm, so I'd just keep it for the moment.

I haven't backported the fix myself, because I haven't been able to reproduce the vulnerability with handlebary 3.x. This is mostly because "#with" helper does not exist in this version, but it is required for the exploits.

I just hope this change breaks nobodys build... But it is hardly possible to know without publishing it.

@nknapp nknapp merged commit 0d6d8c3 into handlebars-lang:3.x Jun 29, 2019
@mattolson
Copy link
Author

@nknapp Thanks for the merge. Can you put together a new release? Perhaps 3.1.0?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019
edited
Loading

This would be 3.0.7. To me its a fix, not a new feature.
I can't do it today. It's almost 11pm CEST now. I'll try to do it tomorrow.

However, if people complain about the changes, I might rollback the changes. That didn't happen with 4.x though, so I don't expect it here as well.

@mattolson
Copy link
Author

Ok, sounds good. Thank you!

@nknapp
Copy link
Collaborator

nknapp commented Jun 30, 2019

Released in 3.0.7

@mattolson mattolson deleted the backport-security-fixes branch July 13, 2019 20:48
@jtnord jtnord mentioned this pull request May 10, 2021
Closed
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
@Svetlana-github Svetlana-github mentioned this pull request May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zvuki zvuki zvuki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattolson @nknapp @zvuki