RubyGems - jquery-rails - Versions diffs - 4.0.3 → 4.0.4 - Mend

jquery-rails 4.0.3 → 4.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of jquery-rails might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/VERSIONS.md +1 -0
data/lib/jquery/rails/version.rb +2 -2
data/vendor/assets/javascripts/jquery_ujs.js +25 -6
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cbce5dcfc21bb4fb2839710ac0e05159888322b0
-  data.tar.gz: fc45d73e7fcbb5a41d0dcd63c388f77ac4c4e718
+  metadata.gz: 6950a11f58e399bdf4c52733598011f5f0306d31
+  data.tar.gz: 1aec4ab15af412138502b80fe7ae459fb007bd74
 SHA512:
-  metadata.gz: c0a6d1bd050ea314a9ba5fa5ca62064b915ea5d9587b2387c054e0ba180fb1c9d5b2b5ab4364655eda865a6cafd3d7a0ff2e277dece297a7afd435b68be6a612
-  data.tar.gz: f04822fcbc830e85d4187290efce0347067ab70474e9c7aa4c56d93fdf8c7390eae158f8970b7ab853fc05325375c7f4d2934a029f74f2df210fcbef37fe29e2
+  metadata.gz: a3161c3a359063d6568662266d6945e594f617584557d6faae1127a9a118d94811fed2a73cb0d2a8f70052772b91d12e987a009d8a969b631d11b2b166b5fcfc
+  data.tar.gz: 8c087eeed4d2bdb64905e60c6214e8827d74bf6a65fa02aba3c60653e5876a70adb3dcf8b1b735480ab1f96e6b06b5ec0a39d57a4faec2b03091154c9a4ce9b2

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 4.0.4
+  - Fix CSP bypass vulnerability. CVE-2015-1840
 ## 4.0.1
   - Fix RubyGems permission problem.

data/VERSIONS.md CHANGED

@@ -2,6 +2,7 @@
 | Gem    | jQuery | jQuery UJS | jQuery UI |
 |--------|--------|------------| ----------|
+| 4.0.4  | 1.11.2 & 2.1.3  | 1.0.4  | -         |
 | 4.0.3  | 1.11.2 & 2.1.3  | 1.0.3  | -         |
 | 4.0.2  | -      | -          | -         |
 | 4.0.1  | -      | -          | -         |

data/lib/jquery/rails/version.rb CHANGED

@@ -1,8 +1,8 @@
 module Jquery
   module Rails
-    VERSION = "4.0.3"
+    VERSION = "4.0.4"
     JQUERY_VERSION = "1.11.2"
     JQUERY_2_VERSION = "2.1.3"
-    JQUERY_UJS_VERSION = "1.0.3"
+    JQUERY_UJS_VERSION = "1.0.4"
   end
 end

data/vendor/assets/javascripts/jquery_ujs.js CHANGED

@@ -86,16 +86,14 @@
     // Default way to get an element's href. May be overridden at $.rails.href.
     href: function(element) {
-      return element.attr('href');
+      return element[0].href;
     },
     // Submits "remote" forms and links with ajax
     handleRemote: function(element) {
-      var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options;
+      var method, url, data, withCredentials, dataType, options;
       if (rails.fire(element, 'ajax:before')) {
-        elCrossDomain = element.data('cross-domain');
-        crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
         withCredentials = element.data('with-credentials') || null;
         dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);
@@ -147,7 +145,7 @@
           error: function(xhr, status, error) {
             element.trigger('ajax:error', [xhr, status, error]);
           },
-          crossDomain: crossDomain
+          crossDomain: rails.isCrossDomain(url)
         };
         // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
       }
     },
+    // Determines if the request is a cross domain request.
+    isCrossDomain: function(url) {
+      var originAnchor = document.createElement("a");
+      originAnchor.href = location.href;
+      var urlAnchor = document.createElement("a");
+      try {
+        urlAnchor.href = url;
+        // This is a workaround to a IE bug.
+        urlAnchor.href = urlAnchor.href;
+        // Make sure that the browser parses the URL and that the protocols and hosts match.
+        return !urlAnchor.protocol || !urlAnchor.host ||
+          (originAnchor.protocol + "//" + originAnchor.host !==
+            urlAnchor.protocol + "//" + urlAnchor.host);
+      } catch (e) {
+        // If there is an error parsing the URL, assume it is crossDomain.
+        return true;
+      }
+    },
     // Handles "data-method" on links such as:
     // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
     handleMethod: function(link) {
@@ -178,7 +197,7 @@
         form = $('<form method="post" action="' + href + '"></form>'),
         metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
-      if (csrfParam !== undefined && csrfToken !== undefined) {
+      if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
         metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
       }

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jquery-rails
 version: !ruby/object:Gem::Version
-  version: 4.0.3
+  version: 4.0.4
 platform: ruby
 authors:
 - André Arko
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-12-29 00:00:00.000000000 Z
+date: 2015-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties