Hello community, here is the log from the commit of package rubygem-jquery-rails for openSUSE:Factory checked in at 2015-06-23 11:56:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-jquery-rails (Old) and /work/SRC/openSUSE:Factory/.rubygem-jquery-rails.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-jquery-rails" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-jquery-rails/rubygem-jquery-rails.changes 2015-02-16 21:13:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-jquery-rails.new/rubygem-jquery-rails.changes 2015-06-23 11:56:08.000000000 +0200 @@ -1,0 +2,10 @@ +Wed Jun 17 04:36:02 UTC 2015 - co...@suse.com + +- updated to version 4.0.4 + see installed CHANGELOG.md + + ## 4.0.4 + + - Fix CSP bypass vulnerability. CVE-2015-1840 + +------------------------------------------------------------------- Old: ---- jquery-rails-4.0.3.gem New: ---- jquery-rails-4.0.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-jquery-rails.spec ++++++ --- /var/tmp/diff_new_pack.ZUdsf8/_old 2015-06-23 11:56:08.000000000 +0200 +++ /var/tmp/diff_new_pack.ZUdsf8/_new 2015-06-23 11:56:08.000000000 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-jquery-rails -Version: 4.0.3 +Version: 4.0.4 Release: 0 %define mod_name jquery-rails %define mod_full_name %{mod_name}-%{version} ++++++ jquery-rails-4.0.3.gem -> jquery-rails-4.0.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2014-12-29 22:18:05.000000000 +0100 +++ new/CHANGELOG.md 2015-06-16 20:07:19.000000000 +0200 @@ -1,3 +1,7 @@ +## 4.0.4 + + - Fix CSP bypass vulnerability. CVE-2015-1840 + ## 4.0.1 - Fix RubyGems permission problem. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/VERSIONS.md new/VERSIONS.md --- old/VERSIONS.md 2014-12-29 22:18:05.000000000 +0100 +++ new/VERSIONS.md 2015-06-16 20:07:19.000000000 +0200 @@ -2,6 +2,7 @@ | Gem | jQuery | jQuery UJS | jQuery UI | |--------|--------|------------| ----------| +| 4.0.4 | 1.11.2 & 2.1.3 | 1.0.4 | - | | 4.0.3 | 1.11.2 & 2.1.3 | 1.0.3 | - | | 4.0.2 | - | - | - | | 4.0.1 | - | - | - | Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jquery/rails/version.rb new/lib/jquery/rails/version.rb --- old/lib/jquery/rails/version.rb 2014-12-29 22:18:05.000000000 +0100 +++ new/lib/jquery/rails/version.rb 2015-06-16 20:07:19.000000000 +0200 @@ -1,8 +1,8 @@ module Jquery module Rails - VERSION = "4.0.3" + VERSION = "4.0.4" JQUERY_VERSION = "1.11.2" JQUERY_2_VERSION = "2.1.3" - JQUERY_UJS_VERSION = "1.0.3" + JQUERY_UJS_VERSION = "1.0.4" end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2014-12-29 22:18:05.000000000 +0100 +++ new/metadata 2015-06-16 20:07:19.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: jquery-rails version: !ruby/object:Gem::Version - version: 4.0.3 + version: 4.0.4 platform: ruby authors: - André Arko autorequire: bindir: bin cert_chain: [] -date: 2014-12-29 00:00:00.000000000 Z +date: 2015-06-16 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: railties diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/assets/javascripts/jquery_ujs.js new/vendor/assets/javascripts/jquery_ujs.js --- old/vendor/assets/javascripts/jquery_ujs.js 2014-12-29 22:18:05.000000000 +0100 +++ new/vendor/assets/javascripts/jquery_ujs.js 2015-06-16 20:07:19.000000000 +0200 @@ -86,16 +86,14 @@ // Default way to get an element's href. May be overridden at $.rails.href. href: function(element) { - return element.attr('href'); + return element[0].href; }, // Submits "remote" forms and links with ajax handleRemote: function(element) { - var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options; + var method, url, data, withCredentials, dataType, options; if (rails.fire(element, 'ajax:before')) { - elCrossDomain = element.data('cross-domain'); - crossDomain = elCrossDomain === undefined ? null : elCrossDomain; withCredentials = element.data('with-credentials') || null; dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType); @@ -147,7 +145,7 @@ error: function(xhr, status, error) { element.trigger('ajax:error', [xhr, status, error]); }, - crossDomain: crossDomain + crossDomain: rails.isCrossDomain(url) }; // There is no withCredentials for IE6-8 when @@ -167,6 +165,27 @@ } }, + // Determines if the request is a cross domain request. + isCrossDomain: function(url) { + var originAnchor = document.createElement("a"); + originAnchor.href = location.href; + var urlAnchor = document.createElement("a"); + + try { + urlAnchor.href = url; + // This is a workaround to a IE bug. + urlAnchor.href = urlAnchor.href; + + // Make sure that the browser parses the URL and that the protocols and hosts match. + return !urlAnchor.protocol || !urlAnchor.host || + (originAnchor.protocol + "//" + originAnchor.host !== + urlAnchor.protocol + "//" + urlAnchor.host); + } catch (e) { + // If there is an error parsing the URL, assume it is crossDomain. + return true; + } + }, + // Handles "data-method" on links such as: // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a> handleMethod: function(link) { @@ -178,7 +197,7 @@ form = $('<form method="post" action="' + href + '"></form>'), metadataInput = '<input name="_method" value="' + method + '" type="hidden" />'; - if (csrfParam !== undefined && csrfToken !== undefined) { + if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) { metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />'; }