jquery-rails 3.1.2 → 3.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of jquery-rails might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/VERSIONS.md +1 -0
  4. data/lib/jquery/rails/version.rb +2 -2
  5. data/vendor/assets/javascripts/jquery_ujs.js +25 -6
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 98bf989826e397d74ec16b1a4a7c4abec2abf9aa
4
- data.tar.gz: f49b1a849a7fa680e2c3ccb51033fb5f8ac2a84e
3
+ metadata.gz: f2fb7c1bc54c76ac75d4d6ba5aa8a4180e635ce9
4
+ data.tar.gz: 8d546a3a4f7dac4337f9d70abd7b339f15a3bfd2
5
5
  SHA512:
6
- metadata.gz: 27f7d0e1dc0263585ed78f0665422d3d855c6e7367e9bc7c1db7b09fb01eb834402faad34baa7c2b02f3b536cc61a91012b239a29d21f8bc1c045db0eeec4d54
7
- data.tar.gz: 1913187a31b4be7a2e92122850ea84e124688282a6ea370022767e4394f5759360cf08eedebb4f633c9cb59aa1c842b0aaaf5f5eeeb8bd3c839a02345001c98c
6
+ metadata.gz: 30921a1b02aabac4035a959719a62fe48283331124baca8fc78961ec0266903e88e935fd570e57c6cf27d7fb46328a6676fd4f6c6b70ae53bc1f8af2889c2df0
7
+ data.tar.gz: c21818f07a70497e53f48e6024d5d008ecdac28e276401f7743b0afcb6609803bb52f53f0c5a3b9a01c754adc0759a808e92fc4ef27b7ed1d17e95f026e9f120
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.1.3 (16 June 2015)
2
+
3
+ - Fix CSP bypass vulnerability. CVE-2015-1840
4
+
1
5
  ## 3.1.2 (1 September 2014)
2
6
 
3
7
  - Updated to jquery-ujs 1.0.1
data/VERSIONS.md CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  | Gem | jQuery | jQuery UJS | jQuery UI |
4
4
  |--------|--------|------------| ----------|
5
+ | 3.1.3 | 1.11.1 | 1.0.4 | - |
5
6
  | 3.1.2 | 1.11.1 | 1.0.1 | - |
6
7
  | 3.1.1 | 1.11.1 | 1.0.0 | - |
7
8
  | 3.1.0 | 1.11.0 | - | - |
data/lib/jquery/rails/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Jquery
2
2
  module Rails
3
- VERSION = "3.1.2"
3
+ VERSION = "3.1.3"
4
4
  JQUERY_VERSION = "1.11.1"
5
- JQUERY_UJS_VERSION = "1.0.1"
5
+ JQUERY_UJS_VERSION = "1.0.4"
6
6
  end
7
7
  end
data/vendor/assets/javascripts/jquery_ujs.js CHANGED
@@ -86,16 +86,14 @@
86
86
 
87
87
  // Default way to get an element's href. May be overridden at $.rails.href.
88
88
  href: function(element) {
89
- return element.attr('href');
89
+ return element[0].href;
90
90
  },
91
91
 
92
92
  // Submits "remote" forms and links with ajax
93
93
  handleRemote: function(element) {
94
- var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options;
94
+ var method, url, data, withCredentials, dataType, options;
95
95
 
96
96
  if (rails.fire(element, 'ajax:before')) {
97
- elCrossDomain = element.data('cross-domain');
98
- crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
99
97
  withCredentials = element.data('with-credentials') || null;
100
98
  dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);
101
99
 
@@ -147,7 +145,7 @@
147
145
  error: function(xhr, status, error) {
148
146
  element.trigger('ajax:error', [xhr, status, error]);
149
147
  },
150
- crossDomain: crossDomain
148
+ crossDomain: rails.isCrossDomain(url)
151
149
  };
152
150
 
153
151
  // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
167
165
  }
168
166
  },
169
167
 
168
+ // Determines if the request is a cross domain request.
169
+ isCrossDomain: function(url) {
170
+ var originAnchor = document.createElement("a");
171
+ originAnchor.href = location.href;
172
+ var urlAnchor = document.createElement("a");
173
+
174
+ try {
175
+ urlAnchor.href = url;
176
+ // This is a workaround to a IE bug.
177
+ urlAnchor.href = urlAnchor.href;
178
+
179
+ // Make sure that the browser parses the URL and that the protocols and hosts match.
180
+ return !urlAnchor.protocol || !urlAnchor.host ||
181
+ (originAnchor.protocol + "//" + originAnchor.host !==
182
+ urlAnchor.protocol + "//" + urlAnchor.host);
183
+ } catch (e) {
184
+ // If there is an error parsing the URL, assume it is crossDomain.
185
+ return true;
186
+ }
187
+ },
188
+
170
189
  // Handles "data-method" on links such as:
171
190
  // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
172
191
  handleMethod: function(link) {
@@ -178,7 +197,7 @@
178
197
  form = $('<form method="post" action="' + href + '"></form>'),
179
198
  metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
180
199
 
181
- if (csrfParam !== undefined && csrfToken !== undefined) {
200
+ if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
182
201
  metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
183
202
  }
184
203
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jquery-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.2
4
+ version: 3.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - André Arko
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-09-02 00:00:00.000000000 Z
11
+ date: 2015-06-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -98,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
98
98
  version: 1.3.6
99
99
  requirements: []
100
100
  rubyforge_project: jquery-rails
101
- rubygems_version: 2.2.2
101
+ rubygems_version: 2.4.5
102
102
  signing_key:
103
103
  specification_version: 4
104
104
  summary: Use jQuery with Rails 3+