Bug#928827: libjs-jquery: Minified version of jquery.js (jquery.min.js) throws syntax error

2019-05-14 Thread Christoph Weber 
Source: jquery
Version: 1.7.2+dfsg-3.2+deb8u6
Followup-For: Bug #928827

Hello,

I investigated this issue and believe the recent change
"Fix problem calling uglify during build." (related patch is
"fix_uglify_invocation.patch") leads to this issue. I guess
it was introduced in the security fix #927385. (The previous
version 1.7.2+dfsg-3.2 works fine after downgrade.)

The key to this issue is the following target in the Makefile:

${JQ_MIN}: ${JQ}
@@if test ! -z ${JS_ENGINE}; then \
echo "Minifying jQuery" ${JQ_MIN}; \
${COMPILER} < ${JQ} > ${JQ_MIN}.tmp; \
${POST_COMPILER} ${JQ_MIN}.tmp; \
rm -f ${JQ_MIN}.tmp; \
else \
echo "You must have NodeJS installed in order to minify 
jQuery."; \
fi

POST_COMPILER, namely post-compile.js, is a script which tries to
replace the first comment in ${JQ_MIN}.tmp with a version number.
The COMPILER, namely uglifyjs, removes all comments by default.
Therefore, the regex in post-compile.js matches some quoted
strings containing "/*" and "*/" and replaces a large section of
code with a version number.

The browser reacts with "nothing to repeat", as the breakage is
within a regex and the asterisk follows nothing appropriate.

There are multiple ways to fix it: Disable post-compile.js, fix
the regex to match only valid comments, or keep the first comment.
I'll add a patch to achieve the latter, because I like the initial
comment containing the version number.

-- System Information:
Debian Release: 8.11
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
keep the first comment (post-compile.js needs and replaces it)
Index: jquery-1.7.2+dfsg/Makefile
===
--- jquery-1.7.2+dfsg.orig/Makefile
+++ jquery-1.7.2+dfsg/Makefile
@@ -6,7 +6,7 @@ PREFIX = .
 DIST_DIR = ${PREFIX}/dist
 
 JS_ENGINE ?= `which node 2>/dev/null || which nodejs 2>/dev/null`
-COMPILER = `which uglifyjs 2>/dev/null` --unsafe
+COMPILER = `which uglifyjs 2>/dev/null` --unsafe --comments /license/
 POST_COMPILER = ${JS_ENGINE} ${BUILD_DIR}/post-compile.js
 
 BASE_FILES = ${SRC_DIR}/core.js\

Bug#928827: [Pkg-javascript-devel] Bug#928827: libjs-jquery: Minified version of jquery.js (jquery.min.js) throws syntax error

2019-05-11 Thread Xavier 
Control: fixed -1 3.1.1-1
Control: notfound -1 1.7.2+dfsg-3.2
Control: tags -1 confirmed

Le 11/05/2019 à 21:52, Harald Oest a écrit :
> Package: libjs-jquery
> Version: 1.7.2+dfsg-3.2+deb8u6
> Severity: normal
> 
> Dear Maintainer,
> 
> the minified jquery library ('/usr/share/javascript/jquery/jquery.min.js') 
> crashes with error 'SyntaxError: nothing to repeat' (as reported by Firefox 
> JS console).
> 
> Step to reproduce this behaviour is to include the library and initialize 
> jquery, e.g.
> 
> 
> 
>$(function() {
>console.log( "Hi, i'm jquery!" );
>});
> 
> 
> The not-minified version ('/usr/share/javascript/jquery/jquery.js') works 
> just well.
> 
> Bests
> 
> Harald

Thanks for this report. Here is a simple script to test jquery files:

  #!/bin/sh
  JQUERY=$1
  if test "$JQUERY" = ""; then
echo "Usage $0 /path/to/jquery" >&2
exit 1
  fi
  echo '
  
  NOK
  
  
  $("#d").text("OK");
  
  
  ' >/tmp/index.html
  firefox /tmp/index.html

Only deb8u* versions are affected by this bug (oldstable only)

Bug#928827: libjs-jquery: Minified version of jquery.js (jquery.min.js) throws syntax error

2019-05-11 Thread Harald Oest 
Package: libjs-jquery
Version: 1.7.2+dfsg-3.2+deb8u6
Severity: normal

Dear Maintainer,

the minified jquery library ('/usr/share/javascript/jquery/jquery.min.js') 
crashes with error 'SyntaxError: nothing to repeat' (as reported by Firefox JS 
console).

Step to reproduce this behaviour is to include the library and initialize 
jquery, e.g.



   $(function() {
   console.log( "Hi, i'm jquery!" );
   });


The not-minified version ('/usr/share/javascript/jquery/jquery.js') works just 
well.

Bests

Harald

-- System Information:
Debian Release: 8.11
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

libjs-jquery depends on no packages.

Versions of packages libjs-jquery recommends:
ii  javascript-common  11

libjs-jquery suggests no packages.

-- no debconf information