commit rubygem-jquery-rails for openSUSE:Factory

Tue, 23 Jun 2015 02:57:02 -0700 

Hello community,

here is the log from the commit of package rubygem-jquery-rails for 
openSUSE:Factory checked in at 2015-06-23 11:56:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-jquery-rails (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-jquery-rails.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rubygem-jquery-rails"

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-jquery-rails/rubygem-jquery-rails.changes    
    2015-02-16 21:13:07.000000000 +0100
+++ 
/work/SRC/openSUSE:Factory/.rubygem-jquery-rails.new/rubygem-jquery-rails.changes
   2015-06-23 11:56:08.000000000 +0200
@@ -1,0 +2,10 @@
+Wed Jun 17 04:36:02 UTC 2015 - co...@suse.com
+
+- updated to version 4.0.4
+ see installed CHANGELOG.md
+
+  ## 4.0.4
+  
+    - Fix CSP bypass vulnerability. CVE-2015-1840
+
+-------------------------------------------------------------------

Old:
----
  jquery-rails-4.0.3.gem

New:
----
  jquery-rails-4.0.4.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-jquery-rails.spec ++++++
--- /var/tmp/diff_new_pack.ZUdsf8/_old  2015-06-23 11:56:08.000000000 +0200
+++ /var/tmp/diff_new_pack.ZUdsf8/_new  2015-06-23 11:56:08.000000000 +0200
@@ -24,7 +24,7 @@
 #
 
 Name:           rubygem-jquery-rails
-Version:        4.0.3
+Version:        4.0.4
 Release:        0
 %define mod_name jquery-rails
 %define mod_full_name %{mod_name}-%{version}

++++++ jquery-rails-4.0.3.gem -> jquery-rails-4.0.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2014-12-29 22:18:05.000000000 +0100
+++ new/CHANGELOG.md    2015-06-16 20:07:19.000000000 +0200
@@ -1,3 +1,7 @@
+## 4.0.4
+
+  - Fix CSP bypass vulnerability. CVE-2015-1840
+
 ## 4.0.1
 
   - Fix RubyGems permission problem.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/VERSIONS.md new/VERSIONS.md
--- old/VERSIONS.md     2014-12-29 22:18:05.000000000 +0100
+++ new/VERSIONS.md     2015-06-16 20:07:19.000000000 +0200
@@ -2,6 +2,7 @@
 
 | Gem    | jQuery | jQuery UJS | jQuery UI |
 |--------|--------|------------| ----------|
+| 4.0.4  | 1.11.2 & 2.1.3  | 1.0.4  | -         |
 | 4.0.3  | 1.11.2 & 2.1.3  | 1.0.3  | -         |
 | 4.0.2  | -      | -          | -         |
 | 4.0.1  | -      | -          | -         |
Files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/jquery/rails/version.rb 
new/lib/jquery/rails/version.rb
--- old/lib/jquery/rails/version.rb     2014-12-29 22:18:05.000000000 +0100
+++ new/lib/jquery/rails/version.rb     2015-06-16 20:07:19.000000000 +0200
@@ -1,8 +1,8 @@
 module Jquery
   module Rails
-    VERSION = "4.0.3"
+    VERSION = "4.0.4"
     JQUERY_VERSION = "1.11.2"
     JQUERY_2_VERSION = "2.1.3"
-    JQUERY_UJS_VERSION = "1.0.3"
+    JQUERY_UJS_VERSION = "1.0.4"
   end
 end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2014-12-29 22:18:05.000000000 +0100
+++ new/metadata        2015-06-16 20:07:19.000000000 +0200
@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jquery-rails
 version: !ruby/object:Gem::Version
-  version: 4.0.3
+  version: 4.0.4
 platform: ruby
 authors:
 - André Arko
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-29 00:00:00.000000000 Z
+date: 2015-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/vendor/assets/javascripts/jquery_ujs.js 
new/vendor/assets/javascripts/jquery_ujs.js
--- old/vendor/assets/javascripts/jquery_ujs.js 2014-12-29 22:18:05.000000000 
+0100
+++ new/vendor/assets/javascripts/jquery_ujs.js 2015-06-16 20:07:19.000000000 
+0200
@@ -86,16 +86,14 @@
 
     // Default way to get an element's href. May be overridden at $.rails.href.
     href: function(element) {
-      return element.attr('href');
+      return element[0].href;
     },
 
     // Submits "remote" forms and links with ajax
     handleRemote: function(element) {
-      var method, url, data, elCrossDomain, crossDomain, withCredentials, 
dataType, options;
+      var method, url, data, withCredentials, dataType, options;
 
       if (rails.fire(element, 'ajax:before')) {
-        elCrossDomain = element.data('cross-domain');
-        crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
         withCredentials = element.data('with-credentials') || null;
         dataType = element.data('type') || ($.ajaxSettings && 
$.ajaxSettings.dataType);
 
@@ -147,7 +145,7 @@
           error: function(xhr, status, error) {
             element.trigger('ajax:error', [xhr, status, error]);
           },
-          crossDomain: crossDomain
+          crossDomain: rails.isCrossDomain(url)
         };
 
         // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
       }
     },
 
+    // Determines if the request is a cross domain request.
+    isCrossDomain: function(url) {
+      var originAnchor = document.createElement("a");
+      originAnchor.href = location.href;
+      var urlAnchor = document.createElement("a");
+
+      try {
+        urlAnchor.href = url;
+        // This is a workaround to a IE bug.
+        urlAnchor.href = urlAnchor.href;
+
+        // Make sure that the browser parses the URL and that the protocols 
and hosts match.
+        return !urlAnchor.protocol || !urlAnchor.host ||
+          (originAnchor.protocol + "//" + originAnchor.host !==
+            urlAnchor.protocol + "//" + urlAnchor.host);
+      } catch (e) {
+        // If there is an error parsing the URL, assume it is crossDomain.
+        return true;
+      }
+    },
+
     // Handles "data-method" on links such as:
     // <a href="/users/5" data-method="delete" rel="nofollow" 
data-confirm="Are you sure?">Delete</a>
     handleMethod: function(link) {
@@ -178,7 +197,7 @@
         form = $('<form method="post" action="' + href + '"></form>'),
         metadataInput = '<input name="_method" value="' + method + '" 
type="hidden" />';
 
-      if (csrfParam !== undefined && csrfToken !== undefined) {
+      if (csrfParam !== undefined && csrfToken !== undefined && 
!rails.isCrossDomain(href)) {
         metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken 
+ '" type="hidden" />';
       }

Reply via email to