Drupal: SA-CORE-2020-007 fix for ctools

https://dev.gridrepublic.org/browse/DBOINCP-530
2020-09-17 11:04:46 +02:00 · 2020-09-17 11:04:46 +02:00 · 8e3657e90c
parent b6a799956c
commit 8e3657e90c
2 changed files with 14 additions and 10 deletions
--- a/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info
+++ b/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info
@ -3,8 +3,8 @@ description = A library of helpful tools by Merlin of Chaos.
 core = 6.x
 package = Chaos tool suite
 ; Information added by Drupal.org packaging script on 2015-12-22
-version = "6.x-1.15-boinc-2-dev"
+version = "6.x-1.15-boinc-3-dev"
 core = "6.x"
 project = "ctools"
-datestamp = "1548704188"
+datestamp = "1600333247"

--- a/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js
+++ b/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js
@ -50,7 +50,7 @@
    var $objects = $('a[href="' + old_url + '"]');
    $objects.addClass('ctools-fetching');
    try {
-      var url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+      var url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
      var ajaxOptions = {
        type: "POST",
        url: url,
@ -68,7 +68,8 @@
        complete: function() {
          $objects.removeClass('ctools-fetching');
        },
-        dataType: 'json'
+        dataType: 'json',
+        jsonp: false
      };
      $.ajax(ajaxOptions);
    }
@ -117,7 +118,7 @@
    }
    $(this).addClass('ctools-ajaxing');
    try {
-      url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+      url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
      $.ajax({
        type: "POST",
        url: url,
@ -131,7 +132,8 @@
        complete: function() {
          $('.ctools-ajaxing').removeClass('ctools-ajaxing');
        },
-        dataType: 'json'
+        dataType: 'json',
+        jsonp: false
      });
    }
    catch (err) {
@ -159,7 +161,7 @@
    $(this).addClass('ctools-ajaxing');
    try {
      if (url) {
-        url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+        url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
        $.ajax({
          type: "POST",
          url: url,
@ -173,7 +175,8 @@
          complete: function() {
            $('.ctools-ajaxing').removeClass('ctools-ajaxing');
          },
-          dataType: 'json'
+          dataType: 'json',
+          jsonp: false
        });
      }
      else {
@ -329,7 +332,7 @@
    var form_id = $object.parents('form').get(0).id;
    try {
      if (url) {
-        url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+        url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
        $.ajax({
          type: "POST",
          url: url,
@ -346,7 +349,8 @@
              $('form#' + form_id).submit();
            }
          },
-          dataType: 'json'
+          dataType: 'json',
+          jsonp: false
        });
      }
      else {