Widget: Don't let widget name affect `$.ui` prototype & constructor

This is an edge case and it only affects code accepting untrusted input as
a widget name, but it's still technically correct to filter these out.

Closes gh-2310

diff --git a/tests/unit/widget/core.js b/tests/unit/widget/core.js
index fe74e18e94e0f9eeb78349f98a844b23e933dfe3..38e63a8c0571d98b5674f5b85bfc68c5fc03531d 100644 (file)
--- a/tests/unit/widget/core.js
+++ b/tests/unit/widget/core.js
@@ -242,6 +242,28 @@ QUnit.test( "error handling", function( assert ) {
        $.error = error;
 } );
 
+QUnit.test( "Prototype pollution", function( assert ) {
+       assert.expect( 3 );
+
+       var elem = $( "<div>" );
+
+       $.widget( "ui.testWidget", {} );
+
+       elem.testWidget();
+
+       try {
+               $.widget( "ui.__proto__", {} );
+       } catch ( _e ) {}
+       try {
+               $.widget( "ui.constructor", {} );
+       } catch ( _e ) {}
+
+       assert.strictEqual( Object.getPrototypeOf( $.ui ), Object.prototype,
+               "$.ui constructor not modified" );
+       assert.ok( $.ui instanceof Object, "$.ui is an Object instance" );
+       assert.notOk( $.ui instanceof Function, "$.ui is not a Function instance" );
+} );
+
 QUnit.test( "merge multiple option arguments", function( assert ) {
        assert.expect( 1 );
        $.widget( "ui.testWidget", {

diff --git a/ui/widget.js b/ui/widget.js
index 7201b4fbf6324200af2fc41826831cfcf62f7eae..d5fbd885cf0c6a589488dd6e650579db608a6ebf 100644 (file)
--- a/ui/widget.js
+++ b/ui/widget.js
@@ -56,6 +56,9 @@ $.widget = function( name, base, prototype ) {
 
        var namespace = name.split( "." )[ 0 ];
        name = name.split( "." )[ 1 ];
+       if ( name === "__proto__" || name === "constructor" ) {
+               return $.error( "Invalid widget name: " + name );
+       }
        var fullName = namespace + "-" + name;
 
        if ( !prototype ) {