Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix all CVEs in 1.7.2 #7

Open
wants to merge 29 commits into
base: 1.7.2-branch
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
ee931ed
Include distribution in release tag
timmywil Feb 12, 2014
13e9cde
Include distribution in release tag
timmywil Feb 12, 2014
9b20df0
Include distribution in release tag
timmywil Feb 12, 2014
dbce0ce
Include distribution in release tag
timmywil Feb 12, 2014
2888cae
Include distribution in release tag
timmywil Feb 12, 2014
af543e2
🔒️ fix CVE-2015-9251
ctcpip Dec 11, 2023
eb69988
🔒️ fix CVE-2012-6708
ctcpip Dec 11, 2023
ab024c1
🔒️ fix CVE-2019-11358
ctcpip Dec 11, 2023
a92926c
🔒️ fix CVE-2020-11022
ctcpip Dec 11, 2023
e5a5d49
🔒️ fix CVE-2020-11023
ctcpip Dec 11, 2023
9048c5a
🔒️ fix CVE-2020-7656
ctcpip Dec 11, 2023
ac067d7
fix support reference
ctcpip Dec 15, 2023
fe5ca13
fix script regex
ctcpip Dec 15, 2023
08ffd65
test fixes
ctcpip Dec 18, 2023
c70c7ba
🔒️ fix CVE-2011-4969
ctcpip Dec 20, 2023
8bdec18
🔒️ fix CVE-2012-6708
ctcpip Dec 20, 2023
654d925
🔒️ fix CVE-2019-11358
ctcpip Dec 21, 2023
ae1140f
🔒️ fix CVE-2020-11022
ctcpip Dec 21, 2023
8158bf0
🔒️ fix CVE-2020-7656
ctcpip Feb 10, 2024
6767dbc
🔒️ fix CVE-2020-11023
ctcpip Feb 10, 2024
8f1483b
💚 commit built jquery from latest
ctcpip Feb 15, 2024
f400223
Merge branch '1.2.7-sec' into 1.3.3-sec
ctcpip Feb 15, 2024
5affbad
Merge branch '1.3.3-sec' into 1.4.5-sec
ctcpip Feb 15, 2024
d0fef0a
✅ fix tests
ctcpip Feb 15, 2024
634d27d
🔒️ fix CVE-2015-9251
ctcpip Feb 16, 2024
fa65c2b
♻️ update old node code, prevent jslint exception
ctcpip Feb 16, 2024
6446298
Merge branch '1.4.5-sec' into 1.5.3-sec
ctcpip Feb 16, 2024
3877721
Merge branch '1.5.3-sec' into 1.6.5-sec
ctcpip Feb 16, 2024
d412a7b
Merge branch '1.6.5-sec' into 1.7.3-sec
ctcpip Feb 16, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[submodule "src/sizzle"]
path = src/sizzle
url = git://github.com/jquery/sizzle.git
url = https://github.com/jquery/sizzle.git
[submodule "test/qunit"]
path = test/qunit
url = git://github.com/jquery/qunit.git
url = https://github.com/qunitjs/qunit.git
2 changes: 1 addition & 1 deletion bower.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name" : "jquery",
"version" : "1.7.2",
"version" : "1.7.3-sec",
"main" : "./jquery.js",
"dependencies": {
}
Expand Down
8 changes: 8 additions & 0 deletions component.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"name" : "jquery",
"version" : "1.6.5-sec",
"main" : "./jquery.js",
"dependencies": {
}
}

29 changes: 15 additions & 14 deletions jquery.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*!
* jQuery JavaScript Library v1.7.2
* jQuery JavaScript Library v1.7.3-sec
* http://jquery.com/
*
* Copyright 2011, John Resig
Expand All @@ -11,7 +11,7 @@
* Copyright 2011, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Wed Mar 21 12:46:34 2012 -0700
* Date: Fri Feb 16 00:55:01 2024 -0600
*/
(function( window, undefined ) {

Expand All @@ -38,7 +38,8 @@ var jQuery = function( selector, context ) {

// A simple way to check for HTML strings or ID strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Strict HTML recognition (#11290: must start with <)
quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
Expand Down Expand Up @@ -210,7 +211,7 @@ jQuery.fn = jQuery.prototype = {
selector: "",

// The current version of jQuery being used
jquery: "1.7.2",
jquery: "1.7.3-sec",

// The default length of a jQuery object is 0
length: 0,
Expand Down Expand Up @@ -355,8 +356,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down Expand Up @@ -5735,7 +5737,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
"header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",
rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rleadingWhitespace = /^\s+/,
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
rtagName = /<([\w:]+)/,
rtbody = /<tbody/i,
rhtml = /<|&#?\w+;/,
Expand All @@ -5747,7 +5748,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
rscriptType = /\/(java|ecma)script/i,
rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
thead: [ 1, "<table>", "</table>" ],
tr: [ 2, "<table><tbody>", "</tbody></table>" ],
Expand All @@ -5758,7 +5758,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
},
safeFragment = createSafeFragment( document );

wrapMap.optgroup = wrapMap.option;
wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

Expand Down Expand Up @@ -5936,13 +5935,10 @@ jQuery.fn.extend({
null;
}


if ( typeof value === "string" && !rnoInnerhtml.test( value ) &&
( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) &&
!wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) {

value = value.replace( rxhtmlTag, "<$1></$2>" );

try {
for (; i < l; i++ ) {
// Remove element nodes and prevent memory leaks
Expand Down Expand Up @@ -6387,8 +6383,6 @@ jQuery.extend({
if ( !rhtml.test( elem ) ) {
elem = context.createTextNode( elem );
} else {
// Fix "XHTML"-style tags in all browsers
elem = elem.replace(rxhtmlTag, "<$1></$2>");

// Trim whitespace, otherwise indexOf won't work as expected
var tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase(),
Expand Down Expand Up @@ -6979,7 +6973,7 @@ var r20 = /%20/g,
rnoContent = /^(?:GET|HEAD)$/,
rprotocol = /^\/\//,
rquery = /\?/,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
rselectTextarea = /^(?:select|textarea)/i,
rspacesAjax = /\s+/,
rts = /([?&])_=[^&]*/,
Expand Down Expand Up @@ -8046,6 +8040,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {



// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );

// Install script dataType
jQuery.ajaxSetup({
accepts: {
Expand Down
2 changes: 1 addition & 1 deletion src/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ var r20 = /%20/g,
rnoContent = /^(?:GET|HEAD)$/,
rprotocol = /^\/\//,
rquery = /\?/,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
rselectTextarea = /^(?:select|textarea)/i,
rspacesAjax = /\s+/,
rts = /([?&])_=[^&]*/,
Expand Down
7 changes: 7 additions & 0 deletions src/ajax/script.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
(function( jQuery ) {

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );

// Install script dataType
jQuery.ajaxSetup({
accepts: {
Expand Down
6 changes: 4 additions & 2 deletions src/core.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ var jQuery = function( selector, context ) {

// A simple way to check for HTML strings or ID strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Strict HTML recognition (#11290: must start with <)
quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
Expand Down Expand Up @@ -334,8 +335,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down
8 changes: 0 additions & 8 deletions src/manipulation.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
"header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",
rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rleadingWhitespace = /^\s+/,
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
rtagName = /<([\w:]+)/,
rtbody = /<tbody/i,
rhtml = /<|&#?\w+;/,
Expand All @@ -30,7 +29,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
rscriptType = /\/(java|ecma)script/i,
rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
thead: [ 1, "<table>", "</table>" ],
tr: [ 2, "<table><tbody>", "</tbody></table>" ],
Expand All @@ -41,7 +39,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
},
safeFragment = createSafeFragment( document );

wrapMap.optgroup = wrapMap.option;
wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

Expand Down Expand Up @@ -219,13 +216,10 @@ jQuery.fn.extend({
null;
}


if ( typeof value === "string" && !rnoInnerhtml.test( value ) &&
( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) &&
!wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) {

value = value.replace( rxhtmlTag, "<$1></$2>" );

try {
for (; i < l; i++ ) {
// Remove element nodes and prevent memory leaks
Expand Down Expand Up @@ -670,8 +664,6 @@ jQuery.extend({
if ( !rhtml.test( elem ) ) {
elem = context.createTextNode( elem );
} else {
// Fix "XHTML"-style tags in all browsers
elem = elem.replace(rxhtmlTag, "<$1></$2>");

// Trim whitespace, otherwise indexOf won't work as expected
var tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase(),
Expand Down
64 changes: 64 additions & 0 deletions test/unit/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,70 @@ test("jQuery.ajax() - success callbacks - (url, options) syntax", function() {
}, 13);
});

test( "jQuery.ajax() - do not execute js (crossOrigin) 1", 2, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php?header=ecma" ),
crossDomain: true,
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php?header=ecma" ),
crossDomain: true,
dataType: "script",
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test( "jQuery.ajax() - do not execute js (crossOrigin) 2", 2, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php" ),
crossDomain: true,
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test("jQuery.ajax() - success callbacks (late binding)", function() {
expect( 8 );

Expand Down
48 changes: 42 additions & 6 deletions test/unit/core.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ test("Basic requirements", function() {
});

test("jQuery()", function() {
expect(29);
expect(27);

// Basic constructor's behavior

Expand Down Expand Up @@ -62,7 +62,7 @@ test("jQuery()", function() {
var img = jQuery("<img/>");
equal( img.length, 1, "Correct number of elements generated for img" );
equal( img.parent().length, 0, "Make sure that the generated HTML has no parent." );
var div = jQuery("<div/><hr/><code/><b/>");
var div = jQuery("<div></div><hr><code></code><b></b>");
equal( div.length, 4, "Correct number of elements generated for div hr code b" );
equal( div.parent().length, 0, "Make sure that the generated HTML has no parent." );

Expand Down Expand Up @@ -103,16 +103,15 @@ test("jQuery()", function() {
// manually clean up detached elements
elem.remove();

equal( jQuery(" <div/> ").length, 1, "Make sure whitespace is trimmed." );
equal( jQuery(" a<div/>b ").length, 1, "Make sure whitespace and other characters are trimmed." );
equal( jQuery("<div></div> ").length, 1, "Make sure whitespace is trimmed." );

var long = "";
for ( var i = 0; i < 128; i++ ) {
long += "12345678";
}

equal( jQuery(" <div>" + long + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
equal( jQuery(" a<div>" + long + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
equal( jQuery("<div>" + long + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );

});

test("selector state", function() {
Expand Down Expand Up @@ -638,6 +637,36 @@ test("jQuery('html', context)", function() {
equal($span.length, 1, "Verify a span created with a div context works, #1763");
});

test("XSS via location.hash", function() {
expect(1);

stop();
jQuery._check9521 = function(x){
ok( x, "script called from #id-like selector with inline handler" );
jQuery("#check9521").remove();
delete jQuery._check9521;
};

var $eCheck9521 = jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)"' );

if($eCheck9521.length) {
$eCheck9521.appendTo("#main");
}
else {
jQuery._check9521(true);
}

start();

});

test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
expect( 1 );

jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
ok( !( "devMode" in {} ), "Object.prototype not polluted" );
} );

if ( !isLocal ) {
test("jQuery(selector, xml).text(str) - Loaded via XML document", function() {
expect(2);
Expand Down Expand Up @@ -953,6 +982,13 @@ test("jQuery.extend(Object, Object)", function() {
deepEqual( options2, options2Copy, "Check if not modified: options2 must not be modified" );
});

QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
expect( 1 );

jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
ok( !( "devMode" in {} ), "Object.prototype not polluted" );
} );

test("jQuery.each(Object,Function)", function() {
expect(14);
jQuery.each( [0,1,2], function(i, n){
Expand Down
Loading