Skip to content

Backport security fixes to 3.x branch #1532

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 29, 2019
Merged

Backport security fixes to 3.x branch #1532

merged 5 commits into from
Jun 29, 2019

Conversation

mattolson
Copy link

@mattolson mattolson commented Jun 29, 2019
edited
Loading

Backport the security fixes from 4.1.0 and 4.1.2 to the 3.x branch.

Other edits needed to get tests working on 3.x branch:

  • Fix Windows build by cherry picking 5b76f04 and b02e9a2 and 6e6269f
  • Fix git tag retrieval so it will work on non-master branch (this affected Travis release build)

mattolson and others added 4 commits June 28, 2019 23:12
@mattolson
Backport security fixes to 3.x branch
de6ded4
@nknapp @mattolson
Fix build on Windows
47adcda 
- Handle path-separators properly. Use "path.sep" instead of "/".
  Or use "require.resolve()" if possible
- Use "execFile" instead of "exec" to run the Handlebars executable.
  This prevents problems due to (missing) shell escaping.
- Use explicit call to "node" in order to run the executable on Windows.
- Add "appveyor"-CI in order to run regular tests on Windows.
@nknapp @mattolson
test: run appveyor tests in Node 10
420ac17
@mattolson
Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul
7820b20 
Due to the way, "bin"-files are distributed into the node_modules/.bin
directory on Windows, the task "test:cov" did not work on Windows.
This commit uses the node-script directly.
@mattolson mattolson mentioned this pull request Jun 29, 2019
Merged
@mattolson
Copy link
Author

@nknapp Can you take a look?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019
edited
Loading

Hello @mattolson, first of all, thanks for this PR. I think it looks good.
I'm not sure why the "--always" is now necessary. It never was a problem on the 4.x branch. But it seems to do no harm, so I'd just keep it for the moment.

I haven't backported the fix myself, because I haven't been able to reproduce the vulnerability with handlebary 3.x. This is mostly because "#with" helper does not exist in this version, but it is required for the exploits.

I just hope this change breaks nobodys build... But it is hardly possible to know without publishing it.

@nknapp nknapp merged commit 0d6d8c3 into handlebars-lang:3.x Jun 29, 2019
@mattolson
Copy link
Author

@nknapp Thanks for the merge. Can you put together a new release? Perhaps 3.1.0?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019
edited
Loading

This would be 3.0.7. To me its a fix, not a new feature.
I can't do it today. It's almost 11pm CEST now. I'll try to do it tomorrow.

However, if people complain about the changes, I might rollback the changes. That didn't happen with 4.x though, so I don't expect it here as well.

@mattolson
Copy link
Author

Ok, sounds good. Thank you!

@nknapp
Copy link
Collaborator

nknapp commented Jun 30, 2019

Released in 3.0.7

@mattolson mattolson deleted the backport-security-fixes branch July 13, 2019 20:48
@jtnord jtnord mentioned this pull request May 10, 2021
Closed
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
@cx-svetlana-shur cx-svetlana-shur mentioned this pull request May 16, 2022
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@zvuki zvuki zvuki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattolson @nknapp @zvuki