jquery-rails 4.0.3 → 4.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of jquery-rails might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: cbce5dcfc21bb4fb2839710ac0e05159888322b0
4
- data.tar.gz: fc45d73e7fcbb5a41d0dcd63c388f77ac4c4e718
3
+ metadata.gz: 6950a11f58e399bdf4c52733598011f5f0306d31
4
+ data.tar.gz: 1aec4ab15af412138502b80fe7ae459fb007bd74
5
5
  SHA512:
6
- metadata.gz: c0a6d1bd050ea314a9ba5fa5ca62064b915ea5d9587b2387c054e0ba180fb1c9d5b2b5ab4364655eda865a6cafd3d7a0ff2e277dece297a7afd435b68be6a612
7
- data.tar.gz: f04822fcbc830e85d4187290efce0347067ab70474e9c7aa4c56d93fdf8c7390eae158f8970b7ab853fc05325375c7f4d2934a029f74f2df210fcbef37fe29e2
6
+ metadata.gz: a3161c3a359063d6568662266d6945e594f617584557d6faae1127a9a118d94811fed2a73cb0d2a8f70052772b91d12e987a009d8a969b631d11b2b166b5fcfc
7
+ data.tar.gz: 8c087eeed4d2bdb64905e60c6214e8827d74bf6a65fa02aba3c60653e5876a70adb3dcf8b1b735480ab1f96e6b06b5ec0a39d57a4faec2b03091154c9a4ce9b2
@@ -1,3 +1,7 @@
1
+ ## 4.0.4
2
+
3
+ - Fix CSP bypass vulnerability. CVE-2015-1840
4
+
1
5
  ## 4.0.1
2
6
 
3
7
  - Fix RubyGems permission problem.
@@ -2,6 +2,7 @@
2
2
 
3
3
  | Gem | jQuery | jQuery UJS | jQuery UI |
4
4
  |--------|--------|------------| ----------|
5
+ | 4.0.4 | 1.11.2 & 2.1.3 | 1.0.4 | - |
5
6
  | 4.0.3 | 1.11.2 & 2.1.3 | 1.0.3 | - |
6
7
  | 4.0.2 | - | - | - |
7
8
  | 4.0.1 | - | - | - |
@@ -1,8 +1,8 @@
1
1
  module Jquery
2
2
  module Rails
3
- VERSION = "4.0.3"
3
+ VERSION = "4.0.4"
4
4
  JQUERY_VERSION = "1.11.2"
5
5
  JQUERY_2_VERSION = "2.1.3"
6
- JQUERY_UJS_VERSION = "1.0.3"
6
+ JQUERY_UJS_VERSION = "1.0.4"
7
7
  end
8
8
  end
@@ -86,16 +86,14 @@
86
86
 
87
87
  // Default way to get an element's href. May be overridden at $.rails.href.
88
88
  href: function(element) {
89
- return element.attr('href');
89
+ return element[0].href;
90
90
  },
91
91
 
92
92
  // Submits "remote" forms and links with ajax
93
93
  handleRemote: function(element) {
94
- var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options;
94
+ var method, url, data, withCredentials, dataType, options;
95
95
 
96
96
  if (rails.fire(element, 'ajax:before')) {
97
- elCrossDomain = element.data('cross-domain');
98
- crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
99
97
  withCredentials = element.data('with-credentials') || null;
100
98
  dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);
101
99
 
@@ -147,7 +145,7 @@
147
145
  error: function(xhr, status, error) {
148
146
  element.trigger('ajax:error', [xhr, status, error]);
149
147
  },
150
- crossDomain: crossDomain
148
+ crossDomain: rails.isCrossDomain(url)
151
149
  };
152
150
 
153
151
  // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
167
165
  }
168
166
  },
169
167
 
168
+ // Determines if the request is a cross domain request.
169
+ isCrossDomain: function(url) {
170
+ var originAnchor = document.createElement("a");
171
+ originAnchor.href = location.href;
172
+ var urlAnchor = document.createElement("a");
173
+
174
+ try {
175
+ urlAnchor.href = url;
176
+ // This is a workaround to a IE bug.
177
+ urlAnchor.href = urlAnchor.href;
178
+
179
+ // Make sure that the browser parses the URL and that the protocols and hosts match.
180
+ return !urlAnchor.protocol || !urlAnchor.host ||
181
+ (originAnchor.protocol + "//" + originAnchor.host !==
182
+ urlAnchor.protocol + "//" + urlAnchor.host);
183
+ } catch (e) {
184
+ // If there is an error parsing the URL, assume it is crossDomain.
185
+ return true;
186
+ }
187
+ },
188
+
170
189
  // Handles "data-method" on links such as:
171
190
  // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
172
191
  handleMethod: function(link) {
@@ -178,7 +197,7 @@
178
197
  form = $('<form method="post" action="' + href + '"></form>'),
179
198
  metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
180
199
 
181
- if (csrfParam !== undefined && csrfToken !== undefined) {
200
+ if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
182
201
  metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
183
202
  }
184
203
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jquery-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.3
4
+ version: 4.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - André Arko
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-12-29 00:00:00.000000000 Z
11
+ date: 2015-06-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties