Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport security fixes to 3.x branch #1532

Merged
merged 5 commits into from Jun 29, 2019
Merged

Backport security fixes to 3.x branch #1532

merged 5 commits into from Jun 29, 2019

Conversation

mattolson
Copy link

@mattolson mattolson commented Jun 29, 2019

Backport the security fixes from 4.1.0 and 4.1.2 to the 3.x branch.

Other edits needed to get tests working on 3.x branch:

  • Fix Windows build by cherry picking 5b76f04 and b02e9a2 and 6e6269f
  • Fix git tag retrieval so it will work on non-master branch (this affected Travis release build)

mattolson and others added 4 commits June 28, 2019 23:12
- Handle path-separators properly. Use "path.sep" instead of "/".
  Or use "require.resolve()" if possible
- Use "execFile" instead of "exec" to run the Handlebars executable.
  This prevents problems due to (missing) shell escaping.
- Use explicit call to "node" in order to run the executable on Windows.
- Add "appveyor"-CI in order to run regular tests on Windows.
Due to the way, "bin"-files are distributed into the node_modules/.bin
directory on Windows, the task "test:cov" did not work on Windows.
This commit uses the node-script directly.
@mattolson
Copy link
Author

@nknapp Can you take a look?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019

Hello @mattolson, first of all, thanks for this PR. I think it looks good.
I'm not sure why the "--always" is now necessary. It never was a problem on the 4.x branch. But it seems to do no harm, so I'd just keep it for the moment.

I haven't backported the fix myself, because I haven't been able to reproduce the vulnerability with handlebary 3.x. This is mostly because "#with" helper does not exist in this version, but it is required for the exploits.

I just hope this change breaks nobodys build... But it is hardly possible to know without publishing it.

@nknapp nknapp merged commit 0d6d8c3 into handlebars-lang:3.x Jun 29, 2019
@mattolson
Copy link
Author

@nknapp Thanks for the merge. Can you put together a new release? Perhaps 3.1.0?

@nknapp
Copy link
Collaborator

nknapp commented Jun 29, 2019

This would be 3.0.7. To me its a fix, not a new feature.
I can't do it today. It's almost 11pm CEST now. I'll try to do it tomorrow.

However, if people complain about the changes, I might rollback the changes. That didn't happen with 4.x though, so I don't expect it here as well.

@mattolson
Copy link
Author

Ok, sounds good. Thank you!

@nknapp
Copy link
Collaborator

nknapp commented Jun 30, 2019

Released in 3.0.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants