mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
libjs-jquery-cookie: patch CVE-2026-46625
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-46625 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,63 @@
|
||||
From 808905ea1bb4582bcfd681ba1bb8a1c1d1113b40 Mon Sep 17 00:00:00 2001
|
||||
From: Klaus Hartl <klaus.hartl@gmail.com>
|
||||
Date: Fri, 15 May 2026 11:23:44 +0200
|
||||
Subject: [PATCH] Prevent cookie attribute injection
|
||||
|
||||
Given that we are using a `for ... in` loop for assembling a cookie's
|
||||
attributes required for writing/removing, we are vulnerable to prototype
|
||||
pollution, where an attacker might attempt to add/overwrite certain
|
||||
attributes and with that broadening access or wiping out a cookie
|
||||
altogether.
|
||||
|
||||
Such malicious attributes input could most likely come from an object
|
||||
parsed from a JSON string; for example looking like
|
||||
'{"__proto__":{"samesite":"None"}}'.
|
||||
|
||||
Note that at the moment we're tied to using this kind of for-loop for
|
||||
compatibility with IE 10 + 11.
|
||||
|
||||
(cherry picked from commit eb3c40e89731e99b8970faaf35ddad249c6c0020)
|
||||
|
||||
CVE: CVE-2026-46625
|
||||
Upstream-Status: Backport [https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020]
|
||||
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||
---
|
||||
src/assign.mjs | 1 +
|
||||
test/tests.js | 12 ++++++++++++
|
||||
2 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/src/assign.mjs b/src/assign.mjs
|
||||
index 2934ff3..a0e55f1 100644
|
||||
--- a/src/assign.mjs
|
||||
+++ b/src/assign.mjs
|
||||
@@ -3,6 +3,7 @@ export default function (target) {
|
||||
for (var i = 1; i < arguments.length; i++) {
|
||||
var source = arguments[i]
|
||||
for (var key in source) {
|
||||
+ if (key === '__proto__') continue
|
||||
target[key] = source[key]
|
||||
}
|
||||
}
|
||||
diff --git a/test/tests.js b/test/tests.js
|
||||
index da65d74..c3ab54e 100644
|
||||
--- a/test/tests.js
|
||||
+++ b/test/tests.js
|
||||
@@ -489,6 +489,18 @@ QUnit.test(
|
||||
}
|
||||
)
|
||||
|
||||
+QUnit.test(
|
||||
+ 'sanitization of attributes to prevent prototype pollution from untrusted input',
|
||||
+ function (assert) {
|
||||
+ var untrusted = JSON.parse('{"__proto__":{"foo":"bar"}}')
|
||||
+ assert.strictEqual(
|
||||
+ Cookies.set('c', 'v', untrusted),
|
||||
+ 'c=v; path=/',
|
||||
+ 'should prevent attribute-injection via prototype pollution'
|
||||
+ )
|
||||
+ }
|
||||
+)
|
||||
+
|
||||
QUnit.module('remove', lifecycle)
|
||||
|
||||
QUnit.test('deletion', function (assert) {
|
||||
@@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/js-cookie/js-cookie"
|
||||
LICENSE = "MIT"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=e16cf0e247d84f8999bf55865a9c98cf"
|
||||
|
||||
SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main"
|
||||
SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main \
|
||||
file://CVE-2026-46625.patch \
|
||||
"
|
||||
|
||||
SRCREV = "ab3f67fc4fad88cdf07b258c08e4164e06bf7506"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user