Skip to content

Further security issue #1563

New issue
New issue
Closed
Closed
Further security issue#1563
@nknapp

Description

@nknapp
nknapp
opened on Sep 26, 2019

Disallows calls to the helperMissing-helpers (#1558) didn't solve all the problem and another exploit was reported.

The exploit will be released well after the fix is in place to give people a chance to update.

Before filing issues, please check the following points first:

This will probably help you to get a solution faster.
For bugs, it would be great to have a PR with a failing test-case.

Activity

nknapp
added a commit that references this issue on Sep 26, 2019

Use Object.prototype.propertyIsEnumerable to check for constructors

213c0bb
dougwilson
mentioned this on Sep 27, 2019
XhmikosR

XhmikosR commented on Sep 27, 2019

@XhmikosR
XhmikosR
on Sep 27, 2019

Is this fixed by 4.3.3?

nknapp

nknapp commented on Sep 27, 2019

@nknapp
nknapp
on Sep 27, 2019
CollaboratorAuthor

All proofs-of-concept that I have received so far are not working anymore with 4.3.3

I am still trying to work out if there are any ways circumvent my fixes. I cannot say for certain that everything is fixed.

XhmikosR
mentioned this on Sep 27, 2019
nknapp

nknapp commented on Sep 29, 2019

@nknapp
nknapp
on Sep 29, 2019
CollaboratorAuthor

I have reported the fix of this issue to npm only yesterday. It may take them until next week to update the audit-database.

nknapp
closed this as completedon Sep 29, 2019
NicoleG25

NicoleG25 commented on Jan 9, 2020

@NicoleG25
NicoleG25
on Jan 9, 2020 · edited by NicoleG25

Ah @nknapp , just came across this.. would you be able to confirm if there was a fix for CVE-2019-19919 made and if so in what commit/version release?

Thanks in advance !

nknapp

nknapp commented on Jan 9, 2020

@nknapp
nknapp
on Jan 9, 2020
CollaboratorAuthor

The npm advisory that is references in the CVE was resolved in 4.3.0.

There were variations that were possible until 4.5.3.

4.6.0 now provides a more complete solution.

I think the npm-security advisories give a more complete picture than CVEs.

NicoleG25

NicoleG25 commented on Jan 9, 2020

@NicoleG25
NicoleG25
on Jan 9, 2020 · edited by NicoleG25

The npm advisory that is references in the CVE was resolved in 4.3.0.

There were variations that were possible until 4.5.3.

4.6.0 now provides a more complete solution.

I think the npm-security advisories give a more complete picture than CVEs.

Thanks for the quick response,
Was there another npm-security advisory issue opened for those variations that are now completely fixed in 4.6.0 or is the same issue referring to all of them?

Also, would you be able to kindly point out the commit fixing the issue in 4.6.0? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @XhmikosR@nknapp@NicoleG25

        Issue actions
          Further security issue · Issue #1563 · handlebars-lang/handlebars.js