✨ jQuery v1.4.5-sec

ctcpip · Feb 16, 2024 · 8a777c0 · 8a777c0
1 parent 507478b
commit 8a777c0
Show file tree

Hide file tree

Showing 4 changed files with 200 additions and 158 deletions.
diff --git a/README.md b/README.md
@@ -32,20 +32,20 @@ In some cases, it may be unavoidable that a security fix involves a breaking cha
 
 In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
 
-| jQuery version | jQuery-sec version | Branch      | PR             | Release | CVEs Patched                                                                                                                         |
-| -------------- | ------------------ | ----------- | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------ |
-| `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec] | [PR][1.2.7-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec] | [PR][1.3.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| `1.4.4`        | `1.4.5-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| `1.5.2`        | `1.5.3-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                    |
-| `1.7.2`        | `1.7.3-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                    |
-| `1.8.3`        | `1.8.4-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                    |
-| `1.12.4`       | `1.12.5-sec`       |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                          |
-| `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                      |
+| jQuery version | jQuery-sec version | Branch      | PR             | Release | CVEs Patched                                                                                                                                    |
+| -------------- | ------------------ | ----------- | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec] | [PR][1.2.7-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec] | [PR][1.3.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec] | [PR][1.4.5-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| `1.5.2`        | `1.5.3-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| `1.7.2`        | `1.7.3-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| `1.8.3`        | `1.8.4-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| `1.12.4`       | `1.12.5-sec`       |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
+| `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
 
 > [!IMPORTANT]
-> *CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
+> \*CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
 
 > [!NOTE]
 > The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
@@ -60,13 +60,12 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 
 [1.2.7-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.2.7-sec
 [1.2.7-pr]: https://github.com/ctcpip/jquery-security-patches/pull/2
-
 [1.3.3-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.3.3-sec
 [1.3.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/3
-
+[1.4.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.4.5-sec
+[1.4.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/4
 [1.6.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.6.5-sec
 [1.6.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/1
-
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

diff --git a/security/README.md b/security/README.md
@@ -1,3 +1,5 @@
+<!-- markdownlint-disable MD024 -->
+
 # Testing (and building) jQuery
 
 > [!IMPORTANT]
@@ -21,6 +23,36 @@
 - Run `make test` from the root folder of the repo
 - Open `/tests/index.html` in your browser -->
 
+##### 1.4.4 / 1.4.5-sec
+
+###### Prerequisites
+
+- Install php 5.6
+  - For Macs, We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
+
+###### Running the tests
+
+- Checkout the `1.4.4` or `1.4.5-sec` branch
+- From the root folder of the repo:
+  - `git clone [email protected]:qunitjs/qunit.git --depth=1 test/qunit`
+  - `cd test/qunit`
+  - Get the closest QUnit commit to the jQuery version/release:
+    - `git checkout 25e4489a5f280e8f0a22ca99ecb401338bb75308`
+  - `cd ../..`
+  - `git clone [email protected]:jquery/sizzle.git --depth=1 src/sizzle`
+  - `cd src/sizzle`
+  - `git fetch --tags`
+    - Get corresponding sizzle branch for this jQuery version/release:
+  - `git checkout 1.4.4`
+  - `cd ..`
+    - Create symlink to src in test folder:
+  - `ln -s ../src src`
+  - `cd ..`
+  - `make jquery`
+    - Run php server:
+  - `php -S 127.0.0.1:8000 -t test`
+- Open `/tests/index.html` in your browser
+
 ##### 1.6.4 / 1.6.5-sec
 
 ###### Prerequisites
@@ -59,19 +91,34 @@ You can run the A/B tests locally in CI mode or manually in the browser
 
 ## Building
 
-<!-- markdownlint-disable-next-line MD024 -->
 ### 1.2.6 / 1.2.7-sec
 
 - Checkout the `1.2.6` or `1.2.7-sec` branch
 - Run `make jquery` from the root folder of the repo
-  - this will output `./dist/jquery.js`
+  - This will output `./dist/jquery.js`
 
-<!-- markdownlint-disable-next-line MD024 -->
 ### 1.3.2 / 1.3.3-sec
 
 - Checkout the `1.3.2` or `1.3.3-sec` branch
 - Run `make jquery` from the root folder of the repo
-  - this will output `./dist/jquery.js`
+  - This will output `./dist/jquery.js`
+
+### 1.4.4 / 1.4.5-sec
+
+- Checkout the `1.4.4` or `1.4.5-sec` branch
+- From the root folder of the repo:
+  - `git clone [email protected]:qunitjs/qunit.git --depth=1 test/qunit`
+  - `cd test/qunit`
+  - Get the closest QUnit commit to the jQuery version/release:
+    - `git checkout 25e4489a5f280e8f0a22ca99ecb401338bb75308`
+  - `cd ../..`
+  - `git clone [email protected]:jquery/sizzle.git --depth=1 src/sizzle`
+  - `cd src/sizzle`
+  - `git fetch --tags`
+    - Get corresponding sizzle branch for this jQuery version/release:
+  - `git checkout 1.4.4`
+  - `cd ../..`
+  - Run `make jquery`
+    - This will output `./dist/jquery.js`
 
-<!-- markdownlint-disable-next-line MD024 -->
 ### 1.6.4 / 1.6.5-sec