Merge pull request #3763 from hashicorp/handlebars-patch

Patches handlebars JS to escape = to prevent XSS.
This commit is contained in:
James Phillips 2017-12-20 19:54:49 -08:00 committed by GitHub
commit 880ae39d54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 34 deletions

View File

@ -1,5 +1,9 @@
## 1.0.3 (UNRELEASED)
SECURITY:
ui: Patched handlebars JS to escape `=` to prevent potential XSS issues. [[GH-3733](https://github.com/hashicorp/consul/issues/3733)]
BREAKING CHANGES:
agent: Updated Consul's HTTP server to ban all URLs containing non-printable characters (a bad request status will be returned for these cases). This affects some user-facing areas like key/value entry key names which are carried in URLs. [[GH-3762](https://github.com/hashicorp/consul/issues/3762)]
@ -70,7 +74,7 @@ BUG FIXES:
SECURITY:
* Fixed an XSS issue with Consul's built-in web UI where node names were not being properly escaped. [[GH-3578](https://github.com/hashicorp/consul/issues/3578)]
* ui: Fixed an XSS issue with Consul's built-in web UI where node names were not being properly escaped. [[GH-3578](https://github.com/hashicorp/consul/issues/3578)]
BREAKING CHANGES:

File diff suppressed because one or more lines are too long

View File

@ -1,4 +1,4 @@
var Handlebars=function(){var y=function(){function l(h){this.string=h}l.prototype.toString=function(){return""+this.string};return l}(),v=function(l){function h(a){return b[a]||"&amp;"}var g={},b={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#x27;","`":"&#x60;"},a=/[&<>"'`]/g,c=/[&<>"'`]/;g.extend=function(a,b){for(var k in b)Object.prototype.hasOwnProperty.call(b,k)&&(a[k]=b[k])};var d=Object.prototype.toString;g.toString=d;var e=function(a){return"function"===typeof a};e(/x/)&&(e=function(a){return"function"===
var Handlebars=function(){var y=function(){function l(h){this.string=h}l.prototype.toString=function(){return""+this.string};return l}(),v=function(l){function h(a){return b[a]||"&amp;"}var g={},b={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#x27;","`":"&#x60;",'=':'&#x3D;'},a=/[&<>"'`=]/g,c=/[&<>"'`=]/;g.extend=function(a,b){for(var k in b)Object.prototype.hasOwnProperty.call(b,k)&&(a[k]=b[k])};var d=Object.prototype.toString;g.toString=d;var e=function(a){return"function"===typeof a};e(/x/)&&(e=function(a){return"function"===
typeof a&&"[object Function]"===d.call(a)});g.isFunction=e;var x=Array.isArray||function(a){return a&&"object"===typeof a?"[object Array]"===d.call(a):!1};g.isArray=x;g.escapeExpression=function(b){if(b instanceof l)return b.toString();if(!b&&0!==b)return"";b=""+b;return!c.test(b)?b:b.replace(a,h)};g.isEmpty=function(a){return!a&&0!==a?!0:x(a)&&0===a.length?!0:!1};return g}(y),p=function(){function l(g,b){var a;b&&b.firstLine&&(a=b.firstLine,g+=" - "+a+":"+b.firstColumn);for(var c=Error.prototype.constructor.call(this,
g),d=0;d<h.length;d++)this[h[d]]=c[h[d]];a&&(this.lineNumber=a,this.column=b.firstColumn)}var h="description fileName lineNumber message name number stack".split(" ");l.prototype=Error();return l}(),z=function(l,h){function g(a,k){this.helpers=a||{};this.partials=k||{};b(this)}function b(a){a.registerHelper("helperMissing",function(a){if(2!==arguments.length)throw new e("Missing helper: '"+a+"'");});a.registerHelper("blockHelperMissing",function(b,k){var c=k.inverse||function(){},n=k.fn;f(b)&&(b=
b.call(this));return!0===b?n(this):!1===b||null==b?c(this):x(b)?0<b.length?a.helpers.each(b,k):c(this):n(b)});a.registerHelper("each",function(a,b){var k=b.fn,c=b.inverse,e=0,t="",d;f(a)&&(a=a.call(this));b.data&&(d=n(b.data));if(a&&"object"===typeof a)if(x(a))for(var g=a.length;e<g;e++)d&&(d.index=e,d.first=0===e,d.last=e===a.length-1),t+=k(a[e],{data:d});else for(g in a)a.hasOwnProperty(g)&&(d&&(d.key=g,d.index=e,d.first=0===e),t+=k(a[g],{data:d}),e++);0===e&&(t=c(this));return t});a.registerHelper("if",