Problem/Motivation

Due to SA-CONTRIB-2015-123 that was fixed in the 7.x-2.x branch only, 7.x-3.x will need to address this security issue before a full major release.

Proposed resolution

Remove the overlay.js replacement entirely and use the newly added jQuery Migrate plugin to offset the cost of keeping up with core.

Remaining tasks

  • Create a patch that removes all the files under replace/misc/1.9 and force enable the jQuery Migrate plugin if and when these files (from core) are detected.

User interface changes

Show helper text in the settings UI explaining why the plugin may be force enabled.

API changes

None

Comments

markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Title: Port the Overlay security fix from SA-CONTRIB-2015-123 to the unstable 7.x-3.x branch » Remove overlay.js replacement and force enable the migrate plugin
Issue summary: View changes

The 7.x-3.x branch doesn't really need the same patch. The only reason jQuery Update was replacing core's overlay was to deal with the fact that jQuery 1.9+ removed deprecated methods.

Now that the jQuery Migrate plugin is in 7.x-3.x (not 7.x-2.x), we just need to remove the overlay-parent.js replacement file entirely. Now we can simply force enable the jQuery migrate plugin if and when the overlay-parent.js (from core) is detected in the JS array (or if the overlay module is enabled, not sure which would be better/easier?).

We should also display some helping text in the UI explaining _why_ the plugin is force enabled.

markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Title: Remove overlay.js replacement and force enable the migrate plugin » Remove replace/misc/1.9/overlay-parent.js and force enable the migrate plugin
markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Related issues: +#2156881: Support (optionally) the use of the jQuery Migrate Plugin
markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Title: Remove replace/misc/1.9/overlay-parent.js and force enable the migrate plugin » Remove 1.9 replacement files and force enable the migrate plugin
Issue summary: View changes

Actually the same could be said for the other core replacement file too, replace/misc/1.9/jquery.ba-bbq.js

markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Title: Remove 1.9 replacement files and force enable the migrate plugin » Remove 1.9 replacement files

Will create a follow-up for the "force" or rather "suggestion" to enable jQuery Migrate for outdated core files.

  • markcarver committed 8fe2eb0 on 7.x-3.x 
    Issue #2507857: Remove 1.9 replacement files
markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.