From 2d49b67a6180d1a91d92f824753005e39e622650 Mon Sep 17 00:00:00 2001 From: Nils Knappmeier Date: Thu, 7 Feb 2019 11:25:30 +0100 Subject: [PATCH] Update release notes --- release-notes.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/release-notes.md b/release-notes.md index 8af103799..b0a1b284c 100644 --- a/release-notes.md +++ b/release-notes.md @@ -2,7 +2,45 @@ ## Development -[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...master) +[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.13...master) + +## v4.0.13 - February 7th, 2019 +New Features + +- none + +Security fixes: + +- disallow access to the constructor in templates to prevent RCE - 42841c4, #1495 + +Housekeeping + +- chore: fix components/handlebars package.json and auto-update on release - bacd473 +- chore: Use node 10 to build handlebars - 78dd89c + +Compatibility notes: + +Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent +Remote Code Execution. This means that following construct will no work anymore: + +``` +class SomeClass { +} + +SomeClass.staticProperty = 'static' + +var template = Handlebars.compile('{{constructor.staticProperty}}'); +document.getElementById('output').innerHTML = template(new SomeClass()); +// expected: 'static', but now this is empty. +``` + +This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). + + + +[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0) + +[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13) ## v4.0.12 - September 4th, 2018 New features: