Skip to content

fix all CVEs in 1.6.4 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 27 commits into
base: 1.6.4-branch
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
ee931ed
Include distribution in release tag
timmywil Feb 12, 2014
13e9cde
Include distribution in release tag
timmywil Feb 12, 2014
9b20df0
Include distribution in release tag
timmywil Feb 12, 2014
dbce0ce
Include distribution in release tag
timmywil Feb 12, 2014
af543e2
🔒️ fix CVE-2015-9251
ctcpip Dec 11, 2023
eb69988
🔒️ fix CVE-2012-6708
ctcpip Dec 11, 2023
ab024c1
🔒️ fix CVE-2019-11358
ctcpip Dec 11, 2023
a92926c
🔒️ fix CVE-2020-11022
ctcpip Dec 11, 2023
e5a5d49
🔒️ fix CVE-2020-11023
ctcpip Dec 11, 2023
9048c5a
🔒️ fix CVE-2020-7656
ctcpip Dec 11, 2023
ac067d7
fix support reference
ctcpip Dec 15, 2023
fe5ca13
fix script regex
ctcpip Dec 15, 2023
08ffd65
test fixes
ctcpip Dec 18, 2023
c70c7ba
🔒️ fix CVE-2011-4969
ctcpip Dec 20, 2023
8bdec18
🔒️ fix CVE-2012-6708
ctcpip Dec 20, 2023
654d925
🔒️ fix CVE-2019-11358
ctcpip Dec 21, 2023
ae1140f
🔒️ fix CVE-2020-11022
ctcpip Dec 21, 2023
8158bf0
🔒️ fix CVE-2020-7656
ctcpip Feb 10, 2024
6767dbc
🔒️ fix CVE-2020-11023
ctcpip Feb 10, 2024
8f1483b
💚 commit built jquery from latest
ctcpip Feb 15, 2024
f400223
Merge branch '1.2.7-sec' into 1.3.3-sec
ctcpip Feb 15, 2024
5affbad
Merge branch '1.3.3-sec' into 1.4.5-sec
ctcpip Feb 15, 2024
d0fef0a
✅ fix tests
ctcpip Feb 15, 2024
634d27d
🔒️ fix CVE-2015-9251
ctcpip Feb 16, 2024
fa65c2b
♻️ update old node code, prevent jslint exception
ctcpip Feb 16, 2024
6446298
Merge branch '1.4.5-sec' into 1.5.3-sec
ctcpip Feb 16, 2024
3877721
Merge branch '1.5.3-sec' into 1.6.5-sec
ctcpip Feb 16, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[submodule "src/sizzle"]
path = src/sizzle
url = git://github.com/jquery/sizzle.git
url = https://github.com/jquery/sizzle.git
[submodule "test/qunit"]
path = test/qunit
url = git://github.com/jquery/qunit.git
url = https://github.com/qunitjs/qunit.git
4 changes: 2 additions & 2 deletions build/jslint-check.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
var JSLINT = require("./lib/jslint").JSLINT,
print = require("sys").print,
print = console.log,
src = require("fs").readFileSync("dist/jquery.js", "utf8");

JSLINT(src, { evil: true, forin: true, maxerr: 100 });
Expand All @@ -21,7 +21,7 @@ var e = JSLINT.errors, found = 0, w;
for ( var i = 0; i < e.length; i++ ) {
w = e[i];

if ( !ok[ w.reason ] ) {
if ( w && !ok[ w.reason ] ) {
found++;
print( "\n" + w.evidence + "\n" );
print( " Problem at line " + w.line + " character " + w.character + ": " + w.reason );
Expand Down
2 changes: 1 addition & 1 deletion build/post-compile.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env node

var print = require( "sys" ).print,
var print = console.log,
fs = require( "fs" ),
src = fs.readFileSync( process.argv[2], "utf8" ),
version = fs.readFileSync( "version.txt", "utf8" ),
Expand Down
2 changes: 1 addition & 1 deletion component.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name" : "jquery",
"version" : "1.6.4",
"version" : "1.6.5-sec",
"main" : "./jquery.js",
"dependencies": {
}
Expand Down
41 changes: 27 additions & 14 deletions jquery.js
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*!
* jQuery JavaScript Library v1.6.4
* jQuery JavaScript Library v1.6.5-sec
* http://jquery.com/
*
* Copyright 2011, John Resig
Expand All @@ -11,7 +11,7 @@
* Copyright 2011, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Mon Sep 12 18:54:48 2011 -0400
* Date: Fri Dec 15 14:14:35 2023 -0600
*/
(function( window, undefined ) {

Expand All @@ -38,7 +38,8 @@ var jQuery = function( selector, context ) {

// A simple way to check for HTML strings or ID strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Strict HTML recognition (#11290: must start with <)
quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
Expand Down Expand Up @@ -213,7 +214,7 @@ jQuery.fn = jQuery.prototype = {
selector: "",

// The current version of jQuery being used
jquery: "1.6.4",
jquery: "1.6.5-sec",

// The default length of a jQuery object is 0
length: 0,
Expand Down Expand Up @@ -357,8 +358,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down Expand Up @@ -1401,6 +1403,12 @@ jQuery.support = (function() {
}
}

// Support: IE <=9 only
// IE <=9 replaces <option> tags with their contents when inserted outside of
// the select element.
div.innerHTML = "<option></option>";
support.option = !!div.lastChild;

// Null connected elements to avoid leaks in IE
testElement = fragment = select = opt = body = marginDiv = div = input = null;

Expand Down Expand Up @@ -5529,7 +5537,6 @@ function winnow( elements, qualifier, keep ) {

var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rleadingWhitespace = /^\s+/,
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
rtagName = /<([\w:]+)/,
rtbody = /<tbody/i,
rhtml = /<|&#?\w+;/,
Expand All @@ -5539,7 +5546,6 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rscriptType = /\/(java|ecma)script/i,
rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
thead: [ 1, "<table>", "</table>" ],
tr: [ 2, "<table><tbody>", "</tbody></table>" ],
Expand All @@ -5549,10 +5555,14 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
_default: [ 0, "", "" ]
};

wrapMap.optgroup = wrapMap.option;
wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

// Support: IE <=9 only
if ( !jQuery.support.option ) {
wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
}

// IE can't serialize <link> and <script> tags normally
if ( !jQuery.support.htmlSerialize ) {
wrapMap._default = [ 1, "div<div>", "</div>" ];
Expand Down Expand Up @@ -5732,8 +5742,6 @@ jQuery.fn.extend({
(jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value )) &&
!wrapMap[ (rtagName.exec( value ) || ["", ""])[1].toLowerCase() ] ) {

value = value.replace(rxhtmlTag, "<$1></$2>");

try {
for ( var i = 0, l = this.length; i < l; i++ ) {
// Remove element nodes and prevent memory leaks
Expand Down Expand Up @@ -6144,8 +6152,6 @@ jQuery.extend({
if ( !rhtml.test( elem ) ) {
elem = context.createTextNode( elem );
} else {
// Fix "XHTML"-style tags in all browsers
elem = elem.replace(rxhtmlTag, "<$1></$2>");

// Trim whitespace, otherwise indexOf won't work as expected
var tag = (rtagName.exec( elem ) || ["", ""])[1].toLowerCase(),
Expand Down Expand Up @@ -6688,7 +6694,7 @@ var r20 = /%20/g,
rnoContent = /^(?:GET|HEAD)$/,
rprotocol = /^\/\//,
rquery = /\?/,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi,
rselectTextarea = /^(?:select|textarea)/i,
rspacesAjax = /\s+/,
rts = /([?&])_=[^&]*/,
Expand Down Expand Up @@ -7756,6 +7762,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {



// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );

// Install script dataType
jQuery.ajaxSetup({
accepts: {
Expand Down Expand Up @@ -9043,4 +9056,4 @@ jQuery.each([ "Height", "Width" ], function( i, name ) {

// Expose jQuery to the global object
window.jQuery = window.$ = jQuery;
})(window);
})(window);
2 changes: 1 addition & 1 deletion src/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ var r20 = /%20/g,
rnoContent = /^(?:GET|HEAD)$/,
rprotocol = /^\/\//,
rquery = /\?/,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
rselectTextarea = /^(?:select|textarea)/i,
rspacesAjax = /\s+/,
rts = /([?&])_=[^&]*/,
Expand Down
7 changes: 7 additions & 0 deletions src/ajax/script.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
(function( jQuery ) {

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );

// Install script dataType
jQuery.ajaxSetup({
accepts: {
Expand Down
6 changes: 4 additions & 2 deletions src/core.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ var jQuery = function( selector, context ) {

// A simple way to check for HTML strings or ID strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Strict HTML recognition (#11290: must start with <)
quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
Expand Down Expand Up @@ -336,8 +337,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down
12 changes: 5 additions & 7 deletions src/manipulation.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rleadingWhitespace = /^\s+/,
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
rtagName = /<([\w:]+)/,
rtbody = /<tbody/i,
rhtml = /<|&#?\w+;/,
Expand All @@ -12,7 +11,6 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
rscriptType = /\/(java|ecma)script/i,
rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
thead: [ 1, "<table>", "</table>" ],
tr: [ 2, "<table><tbody>", "</tbody></table>" ],
Expand All @@ -22,10 +20,14 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
_default: [ 0, "", "" ]
};

wrapMap.optgroup = wrapMap.option;
wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

// Support: IE <=9 only
if ( !jQuery.support.option ) {
wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
}

// IE can't serialize <link> and <script> tags normally
if ( !jQuery.support.htmlSerialize ) {
wrapMap._default = [ 1, "div<div>", "</div>" ];
Expand Down Expand Up @@ -205,8 +207,6 @@ jQuery.fn.extend({
(jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value )) &&
!wrapMap[ (rtagName.exec( value ) || ["", ""])[1].toLowerCase() ] ) {

value = value.replace(rxhtmlTag, "<$1></$2>");

try {
for ( var i = 0, l = this.length; i < l; i++ ) {
// Remove element nodes and prevent memory leaks
Expand Down Expand Up @@ -617,8 +617,6 @@ jQuery.extend({
if ( !rhtml.test( elem ) ) {
elem = context.createTextNode( elem );
} else {
// Fix "XHTML"-style tags in all browsers
elem = elem.replace(rxhtmlTag, "<$1></$2>");

// Trim whitespace, otherwise indexOf won't work as expected
var tag = (rtagName.exec( elem ) || ["", ""])[1].toLowerCase(),
Expand Down
6 changes: 6 additions & 0 deletions src/support.js
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,12 @@ jQuery.support = (function() {
}
}

// Support: IE <=9 only
// IE <=9 replaces <option> tags with their contents when inserted outside of
// the select element.
div.innerHTML = "<option></option>";
support.option = !!div.lastChild;

// Null connected elements to avoid leaks in IE
testElement = fragment = select = opt = body = marginDiv = div = input = null;

Expand Down
64 changes: 64 additions & 0 deletions test/unit/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,70 @@ test("jQuery.ajax() - success callbacks - (url, options) syntax", function() {
}, 13);
});

test( "jQuery.ajax() - do not execute js (crossOrigin) 1", 2, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php?header=ecma" ),
crossDomain: true,
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php?header=ecma" ),
crossDomain: true,
dataType: "script",
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test( "jQuery.ajax() - do not execute js (crossOrigin) 2", 2, function() {

jQuery.ajaxSetup({ timeout: 0 });

stop();

setTimeout(function(){
jQuery.ajax({
url: url( "data/script.php" ),
crossDomain: true,
success: function() {
ok( true, "success" );
},
complete: function() {
ok( true, "complete" );
start();
}
});
}, 13);
} );

test("jQuery.ajax() - success callbacks (late binding)", function() {
expect( 8 );

Expand Down
Loading