jquery-rails 3.1.2 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of jquery-rails might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 98bf989826e397d74ec16b1a4a7c4abec2abf9aa
4
- data.tar.gz: f49b1a849a7fa680e2c3ccb51033fb5f8ac2a84e
3
+ metadata.gz: f2fb7c1bc54c76ac75d4d6ba5aa8a4180e635ce9
4
+ data.tar.gz: 8d546a3a4f7dac4337f9d70abd7b339f15a3bfd2
5
5
  SHA512:
6
- metadata.gz: 27f7d0e1dc0263585ed78f0665422d3d855c6e7367e9bc7c1db7b09fb01eb834402faad34baa7c2b02f3b536cc61a91012b239a29d21f8bc1c045db0eeec4d54
7
- data.tar.gz: 1913187a31b4be7a2e92122850ea84e124688282a6ea370022767e4394f5759360cf08eedebb4f633c9cb59aa1c842b0aaaf5f5eeeb8bd3c839a02345001c98c
6
+ metadata.gz: 30921a1b02aabac4035a959719a62fe48283331124baca8fc78961ec0266903e88e935fd570e57c6cf27d7fb46328a6676fd4f6c6b70ae53bc1f8af2889c2df0
7
+ data.tar.gz: c21818f07a70497e53f48e6024d5d008ecdac28e276401f7743b0afcb6609803bb52f53f0c5a3b9a01c754adc0759a808e92fc4ef27b7ed1d17e95f026e9f120
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.1.3 (16 June 2015)
2
+
3
+ - Fix CSP bypass vulnerability. CVE-2015-1840
4
+
1
5
  ## 3.1.2 (1 September 2014)
2
6
 
3
7
  - Updated to jquery-ujs 1.0.1
data/VERSIONS.md CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  | Gem | jQuery | jQuery UJS | jQuery UI |
4
4
  |--------|--------|------------| ----------|
5
+ | 3.1.3 | 1.11.1 | 1.0.4 | - |
5
6
  | 3.1.2 | 1.11.1 | 1.0.1 | - |
6
7
  | 3.1.1 | 1.11.1 | 1.0.0 | - |
7
8
  | 3.1.0 | 1.11.0 | - | - |
@@ -1,7 +1,7 @@
1
1
  module Jquery
2
2
  module Rails
3
- VERSION = "3.1.2"
3
+ VERSION = "3.1.3"
4
4
  JQUERY_VERSION = "1.11.1"
5
- JQUERY_UJS_VERSION = "1.0.1"
5
+ JQUERY_UJS_VERSION = "1.0.4"
6
6
  end
7
7
  end
@@ -86,16 +86,14 @@
86
86
 
87
87
  // Default way to get an element's href. May be overridden at $.rails.href.
88
88
  href: function(element) {
89
- return element.attr('href');
89
+ return element[0].href;
90
90
  },
91
91
 
92
92
  // Submits "remote" forms and links with ajax
93
93
  handleRemote: function(element) {
94
- var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options;
94
+ var method, url, data, withCredentials, dataType, options;
95
95
 
96
96
  if (rails.fire(element, 'ajax:before')) {
97
- elCrossDomain = element.data('cross-domain');
98
- crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
99
97
  withCredentials = element.data('with-credentials') || null;
100
98
  dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);
101
99
 
@@ -147,7 +145,7 @@
147
145
  error: function(xhr, status, error) {
148
146
  element.trigger('ajax:error', [xhr, status, error]);
149
147
  },
150
- crossDomain: crossDomain
148
+ crossDomain: rails.isCrossDomain(url)
151
149
  };
152
150
 
153
151
  // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
167
165
  }
168
166
  },
169
167
 
168
+ // Determines if the request is a cross domain request.
169
+ isCrossDomain: function(url) {
170
+ var originAnchor = document.createElement("a");
171
+ originAnchor.href = location.href;
172
+ var urlAnchor = document.createElement("a");
173
+
174
+ try {
175
+ urlAnchor.href = url;
176
+ // This is a workaround to a IE bug.
177
+ urlAnchor.href = urlAnchor.href;
178
+
179
+ // Make sure that the browser parses the URL and that the protocols and hosts match.
180
+ return !urlAnchor.protocol || !urlAnchor.host ||
181
+ (originAnchor.protocol + "//" + originAnchor.host !==
182
+ urlAnchor.protocol + "//" + urlAnchor.host);
183
+ } catch (e) {
184
+ // If there is an error parsing the URL, assume it is crossDomain.
185
+ return true;
186
+ }
187
+ },
188
+
170
189
  // Handles "data-method" on links such as:
171
190
  // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
172
191
  handleMethod: function(link) {
@@ -178,7 +197,7 @@
178
197
  form = $('<form method="post" action="' + href + '"></form>'),
179
198
  metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
180
199
 
181
- if (csrfParam !== undefined && csrfToken !== undefined) {
200
+ if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
182
201
  metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
183
202
  }
184
203
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jquery-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.2
4
+ version: 3.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - André Arko
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-09-02 00:00:00.000000000 Z
11
+ date: 2015-06-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -98,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
98
98
  version: 1.3.6
99
99
  requirements: []
100
100
  rubyforge_project: jquery-rails
101
- rubygems_version: 2.2.2
101
+ rubygems_version: 2.4.5
102
102
  signing_key:
103
103
  specification_version: 4
104
104
  summary: Use jQuery with Rails 3+