Hello community, here is the log from the commit of package rubygem-jquery-rails.3909 for openSUSE:13.2:Update checked in at 2015-07-17 16:46:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/rubygem-jquery-rails.3909 (Old) and /work/SRC/openSUSE:13.2:Update/.rubygem-jquery-rails.3909.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-jquery-rails.3909" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.2:Update/.rubygem-jquery-rails.3909.new/rubygem-jquery-rails.changes 2015-07-17 16:46:35.000000000 +0200 @@ -0,0 +1,120 @@ +------------------------------------------------------------------- +Thu Jul 9 11:44:15 UTC 2015 - [email protected] + +- fix CVE-2015-1840: rubygem-jquery-rails: CSRF Vulnerability in + jquery-ujs and jquery-rails (bnc#934795) + + CVE-2015-1840.patch: contains the fix + +------------------------------------------------------------------- +Mon Jul 28 05:28:18 UTC 2014 - [email protected] + +- updated to version 3.1.1 + - Updated to jQuery 1.11.1 + - Updated to jquery-ujs 1.0.0 + +------------------------------------------------------------------- +Thu Feb 6 18:00:06 UTC 2014 - [email protected] + +- updated to version 3.1.0 + - Updated to jQuery 1.11.0 + - Updated to latest jquery-ujs + - Added development rake task for updating jQuery + +------------------------------------------------------------------- +Sat Jul 20 11:04:55 UTC 2013 - [email protected] + +- updated to version 3.0.4 + - Updated to jQuery 1.10.2 + - Updated to latest jquery-ujs + +------------------------------------------------------------------- +Sat Jun 8 06:29:29 UTC 2013 - [email protected] + +- updated to version 3.0.1 + - Updated to jQuery 1.10.1 + - Removed jQuery UI from generator + +------------------------------------------------------------------- +Wed May 29 08:23:11 UTC 2013 - [email protected] + +- updated to version 3.0.0 + - Removed jQuery UI + - Updated to jQuery 1.10.0 + - Updated to latest jquery-ujs + +------------------------------------------------------------------- +Tue Feb 12 16:54:45 UTC 2013 - [email protected] + +- updated to version 2.2.1 + - Updated to jQuery 1.9.1 + - Updated to latest jquery-ujs + +------------------------------------------------------------------- +Fri Jan 25 06:41:41 UTC 2013 - [email protected] + +- updated to version 2.2.0 + - Updated to jQuery 1.9.0 + - Updated to latest jquery-ujs + +------------------------------------------------------------------- +Mon Nov 26 17:39:56 UTC 2012 - [email protected] + +- updated to version 2.1.4 + - Updated to jQuery 1.8.3 + - Updated to jQuery UI 1.9.2 + - Rails 4 compatibility + - Rails 3.0 compatibility + - Rails 3.1 (without asset pipeline) compatibility + +------------------------------------------------------------------- +Tue Sep 25 10:01:56 UTC 2012 - [email protected] + +- updated to version 2.1.3 + - Updated to jquery 1.8.2 + +------------------------------------------------------------------- +Fri Sep 7 09:18:46 UTC 2012 - [email protected] + +- updated to version 2.1.2 + - Updated to latest jquery-ujs + - required radio bugfix + - Updated to jQuery 1.8.1 + +------------------------------------------------------------------- +Sun Aug 26 05:41:01 UTC 2012 - [email protected] + +- updated to version 2.1.1 + - Updated to latest jquery-ujs + - ajax:aborted:file bugfixes + + - Updated to latest jquery-ujs + - jQuery 1.8.0 compatibility + - Updated to jQuery 1.8.0 + - Updated to jQuery UI 1.8.23 + + - Updated to latest jquery-ujs + - created `rails:attachBindings` to allow for customization of $.rails object settings + - created `ajax:send` event to provide access to jqXHR object from ajax requests + - added support for `data-with-credentials` + +------------------------------------------------------------------- +Sat Jul 28 14:32:36 UTC 2012 - [email protected] + +- update to 2.0 + +------------------------------------------------------------------- +Wed Aug 31 07:51:30 UTC 2011 - [email protected] + +- update to version 1.0.13 + +------------------------------------------------------------------- +Wed Aug 3 12:37:32 UTC 2011 - [email protected] + +- Package version 1.0.12 + +------------------------------------------------------------------- +Tue May 17 16:15:20 UTC 2011 - [email protected] + +- initial package 1.0.3 + New: ---- CVE-2015-1840.patch jquery-rails-3.1.1.gem rubygem-jquery-rails.changes rubygem-jquery-rails.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-jquery-rails.spec ++++++ # # spec file for package rubygem-jquery-rails # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-jquery-rails Version: 3.1.1 Release: 0 %define mod_name jquery-rails %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ruby-macros >= 3 Url: http://rubygems.org/gems/jquery-rails Source: http://rubygems.org/gems/%{mod_full_name}.gem Patch0: CVE-2015-1840.patch Summary: Use jQuery with Rails 3+ License: MIT Group: Development/Languages/Ruby %description This gem provides jQuery and the jQuery-ujs driver for your Rails 3+ application. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %prep gem unpack --verbose %{S:0} pushd %{mod_full_name} chmod -R go-w . gem spec --ruby %{S:0} > %{mod_full_name}.gemspec patch -p1 < %{P:0} gem build %{mod_full_name}.gemspec popd %build %install %gem_install -f %{mod_full_name}/%{mod_full_name}.gem mkdir -p %{buildroot}%{_docdir}/%{name} ln -s %{gem_base}/gems/%{mod_full_name}/CHANGELOG.md %buildroot/%{_docdir}/%{name}/CHANGELOG.md ln -s %{gem_base}/gems/%{mod_full_name}/LICENSE %buildroot/%{_docdir}/%{name}/LICENSE ln -s %{gem_base}/gems/%{mod_full_name}/README.md %buildroot/%{_docdir}/%{name}/README.md %files %defattr(-,root,root,-) %{_docdir}/%{name} %{gem_base}/cache/%{mod_full_name}.gem %{gem_base}/gems/%{mod_full_name}/ %{gem_base}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{gem_base}/doc %changelog ++++++ CVE-2015-1840.patch ++++++ --- a/vendor/assets/javascripts/jquery_ujs.js +++ a/vendor/assets/javascripts/jquery_ujs.js @@ -86,16 +86,14 @@ // Default way to get an element's href. May be overridden at $.rails.href. href: function(element) { - return element.attr('href'); + return element[0].href; }, // Submits "remote" forms and links with ajax handleRemote: function(element) { - var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options; + var method, url, data, withCredentials, dataType, options; if (rails.fire(element, 'ajax:before')) { - elCrossDomain = element.data('cross-domain'); - crossDomain = elCrossDomain === undefined ? null : elCrossDomain; withCredentials = element.data('with-credentials') || null; dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType); @@ -147,7 +145,7 @@ error: function(xhr, status, error) { element.trigger('ajax:error', [xhr, status, error]); }, - crossDomain: crossDomain + crossDomain: rails.isCrossDomain(url) }; // There is no withCredentials for IE6-8 when @@ -167,6 +165,27 @@ } }, + // Determines if the request is a cross domain request. + isCrossDomain: function(url) { + var originAnchor = document.createElement("a"); + originAnchor.href = location.href; + var urlAnchor = document.createElement("a"); + + try { + urlAnchor.href = url; + // This is a workaround to a IE bug. + urlAnchor.href = urlAnchor.href; + + // Make sure that the browser parses the URL and that the protocols and hosts match. + return !urlAnchor.protocol || !urlAnchor.host || + (originAnchor.protocol + "//" + originAnchor.host !== + urlAnchor.protocol + "//" + urlAnchor.host); + } catch (e) { + // If there is an error parsing the URL, assume it is crossDomain. + return true; + } + }, + // Handles "data-method" on links such as: // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a> handleMethod: function(link) { @@ -178,7 +197,7 @@ form = $('<form method="post" action="' + href + '"></form>'), metadataInput = '<input name="_method" value="' + method + '" type="hidden" />'; - if (csrfParam !== undefined && csrfToken !== undefined) { + if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) { metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />'; }
