rpms/js-jquery
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.2.4 and backport XSS patch (bz#1399550,bz#1399549)

Browse Source
This commit is contained in:
Christopher Tubbs 2016-12-20 18:16:10 -05:00
parent 102b23bc0f
commit cf7b28bdf5
5 changed files with 114 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
/js-jquery-4dec426aa2a6cbabb1b064319ba7c272d594a688.tar.gz
/js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
/jquery-2.2.4.tar.gz

15
js-jquery-disable-gzip-js.patch
View File

@ -1,14 +1,11 @@
diff --git a/Gruntfile.js b/Gruntfile.js
index d1ad5d4..f1f1a28 100644
--- a/Gruntfile.js
+++ b/Gruntfile.js
@@ -9,8 +9,7 @@ module.exports = function( grunt ) {
return data;
}
@@ -13,7 +13,6 @@ module.exports = function( grunt ) {
- var gzip = require( "gzip-js" ),
- srcHintOptions = readOptionalJSON( "src/.jshintrc" );
+ var srcHintOptions = readOptionalJSON( "src/.jshintrc" );
var fs = require( "fs" ),
stripJSONComments = require( "strip-json-comments" ),
- gzip = require( "gzip-js" ),
srcHintOptions = readOptionalJSON( "src/.jshintrc" ),
newNode = !/^v0/.test( process.version ),
// The concatenated file won't pass onevar
// But our modules can

24
js-jquery.spec
View File

@ -1,9 +1,6 @@
%global commit 8f2a9d9272d6ed7f32d3a484740ab342c02541e0
%global shortcommit %(c=%{commit}; echo ${c:0:7})
Name: js-jquery
Version: 2.1.3
Release: 3%{?dist}
Version: 2.2.4
Release: 1%{?dist}
Summary: JavaScript DOM manipulation, event handling, and AJAX library
BuildArch: noarch
@ -12,11 +9,13 @@ BuildArch: noarch
%global ver_z %(echo %{version} | cut -d. -f3)
License: MIT
URL: http://jquery.com/
Source0: https://github.com/jquery/jquery/archive/%{commit}/%{name}-%{commit}.tar.gz
URL: https://jquery.com/
Source0: https://github.com/jquery/jquery/archive/%{version}/jquery-%{version}.tar.gz
# disable gzip-js during build
Patch1: %{name}-disable-gzip-js.patch
# backport of XSS bug fix from upstream; upstream fixed in 3.0.0 and newer
Patch2: xss-fix-b078a62.patch
BuildRequires: web-assets-devel
BuildRequires: nodejs-packaging
@ -31,6 +30,8 @@ BuildRequires: npm(grunt-cli)
BuildRequires: npm(grunt-contrib-uglify)
BuildRequires: npm(load-grunt-tasks)
BuildRequires: npm(requirejs)
#BuildRequires: npm(strip-json-comments) # won't work on epel7 branch
BuildRequires: nodejs-strip-json-comments
Requires: web-assets-filesystem
@ -42,8 +43,10 @@ browsers. With a combination of versatility and extensibility, jQuery has
changed the way that millions of people write JavaScript.
%prep
%setup -qn jquery-%{commit}
# autosetup doesn't work right on epel7 branch
%setup -qn jquery-%{version}
%patch1 -p1
%patch2 -p1
#remove precompiled stuff
rm -rf dist/* src/sizzle
@ -79,10 +82,13 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}
%files
%{_jsdir}/jquery
%{_webassetdir}/jquery
%doc AUTHORS.txt CONTRIBUTING.md MIT-LICENSE.txt README.md
%doc AUTHORS.txt CONTRIBUTING.md LICENSE.txt README.md
%changelog
* Tue Dec 20 2016 Christopher Tubbs <ctubbsii@fedoraproject.org> - 2.2.4-1
- Update to 2.2.4 and backport XSS patch (bz#1399550,bz#1399549)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
eba3a924d520e1018b0cc1f0bdd2ffbc js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
SHA512 (jquery-2.2.4.tar.gz) = bd1176286451adeaa8c18eb98e01e8b91e45157f7263907772d637a2c15b8ac27b780be14983c4abcff5def668323beab9a6889d8da4beb6c2c06fae1f5bed1d

91
xss-fix-b078a62.patch Normal file
View File

@ -0,0 +1,91 @@
From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001
From: Oleg Gaidarenko <markelog@gmail.com>
Date: Thu, 10 Sep 2015 13:40:00 +0300
Subject: [PATCH] Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg
Fixes gh-2432
Closes gh-2588
---
src/ajax/script.js | 7 +++++++
test/unit/ajax.js | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+), 0 deletion(-)
diff --git a/src/ajax/script.js b/src/ajax/script.js
index 60b1fb6..0ec27b4 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
"../ajax"
], function( jQuery, document ) {
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+ if ( s.crossDomain ) {
+ s.contents.script = false;
+ }
+} );
+
// Install script dataType
jQuery.ajaxSetup( {
accepts: {
diff --git a/test/unit/ajax.js b/test/unit/ajax.js
index 14fe0be..6479587 100644
--- a/test/unit/ajax.js
+++ b/test/unit/ajax.js
@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
};
} );
+ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ } );
+
+ ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
+ function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ options.dataType = "script";
+ return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ }
+ );
+
+ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ return jQuery.ajax( url( "data/script.php" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ } );
+
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
return {
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),