Skip to content

fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2)#5677

Merged
lukastaegert merged 1 commit intorollup:backports-rollup-2from
fabianszabo:backports-rollup-2
Sep 26, 2024
Merged

fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2)#5677
lukastaegert merged 1 commit intorollup:backports-rollup-2from
fabianszabo:backports-rollup-2

Conversation

@fabianszabo
Copy link

@fabianszabo fabianszabo commented Sep 24, 2024
edited
Loading

This PR contains:

  • bugfix
  • feature
  • refactor
  • documentation
  • other

Are tests included?

  • yes (bugfixes and features will not be merged without tests)
  • no

Breaking Changes?

  • yes (breaking changes will not be merged unless absolutely necessary)
  • no

List any relevant issue numbers:

Description

I am aware that the master branch is not where this PR should be merged into. But at the moment there is no backports-rollup-2. Could someone create the branch please? I'd reopen the PR then.

Should be exactly the same as this:

It would be great to backport this to version 2 for workbox:

@vercel
Copy link

vercel bot commented Sep 24, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
rollup ❌ Failed (Inspect) Sep 24, 2024 2:45pm

@fabianszabo fabianszabo changed the title fix: resolve DOM Clobbering CVE-2024-43788 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) Sep 24, 2024
@mhassan1
Copy link

mhassan1 commented Sep 25, 2024

@lukastaegert Is there a chance this patch for Rollup 2 will be released?

@lukastaegert
Copy link
Member

lukastaegert commented Sep 26, 2024

I will give it a shot

@lukastaegert lukastaegert changed the base branch from master to backports-rollup-2 September 26, 2024 18:12
@lukastaegert lukastaegert merged commit 48aef33 into rollup:backports-rollup-2 Sep 26, 2024
@lukastaegert
Copy link
Member

lukastaegert commented Sep 26, 2024

Ok, it is merged and released. I also updated the security advisory, but I am not sure if there is some process to update the fix versions in the CVE and in the Node database.

@Tofandel
Copy link

Tofandel commented Sep 27, 2024
edited
Loading

Wow, isn't it crazy that html allows setting anything on document via the name attribute of img and object?

I mean I can do <img name="body"> and now document.body becomes the img pretty crazy

They should really have been hidden behind something like document.getElementByName()

@fabiosantoscode
Copy link

fabiosantoscode commented Sep 27, 2024

Thank you very much for this backport! I intend to support unholy node.js environments, so I'm not ready to drop support for node 10 so soon.

@ankon
Copy link

ankon commented Oct 29, 2024

Thanks for merging this!

Could you also create a changelog entry and "release" in github for this, so that the dependabot updates triggered by this release come with a good explanation?

@lukastaegert
Copy link
Member

lukastaegert commented Nov 13, 2024

Done at last

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chintan-ladani-coherent chintan-ladani-coherent chintan-ladani-coherent approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@fabianszabo @mhassan1 @lukastaegert @Tofandel @fabiosantoscode @ankon @chintan-ladani-coherent