New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS #36
Comments
The solution they are providing actually breaks jQuery http://jsfiddle.net/rwaldron/GFdJD/ :( |
I intentionally pulled out the XSS check in that regex, thinking it wasn't needed. Now if I could only recall WHY. |
They are actually providing two workarounds (sic!). The first should work. Best bet is to patch jQuery asap and not rely on workarounds. |
@freddyb The bug was fixed in jQuery 1.7. The problem is that the plugin circumvents it. There is nothing to fix in the current versions of jQuery. The fix has to be in the plugin. |
@rwldrn There only was a 'return' missing inside the function: http://jsfiddle.net/GFdJD/3/ |
@fhemberger yes, I know—that's why it doesn't work, why I don't want people using it, and why I made a point to document it here. |
So do you have a better idea for a fix? |
I'm not sure what problems it will cause, but a temporary fix might be to add back 1.8's regex (the same one is in 1.7). It seems to reproduce 1.8's behavior, but my testing is pretty limited. Index: jquery-migrate.js
===================================================================
--- jquery-migrate.js
+++ jquery-migrate.js
@@ -189,8 +189,8 @@
var matched, browser,
oldInit = jQuery.fn.init,
oldParseJSON = jQuery.parseJSON,
- // Note this does NOT include the #9521 XSS fix from 1.7!
- rquickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*|#([\w\-]*))$/;
+ // https://github.com/jquery/jquery-migrate/issues/36
+ rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/;
// $(html) "looks like html" rule change
jQuery.fn.init = function( selector, context, rootjQuery ) { Alternatively, the following implements something close to 1.9's behavior: http://bugs.jquery.com/ticket/11290 // https://github.com/jquery/jquery-migrate/issues/36
window.jQuery = (function( jQ ) {
function jQueryFixed( a ) {
var args = jQ.makeArray( arguments );
a = jQ.trim( a );
if ( "string" === typeof a && a.charAt( 0 ) !== "<" ) {
if ( a.indexOf( "<" ) > -1 ) {
jQ.find.error( a );
}
}
return jQ.apply( null, args );
}
jQ.extend( jQueryFixed, jQ );
return jQueryFixed;
})(jQuery); |
The whole thing can be avoided by not using the migrate plugin. |
Input welcome on this...before we ship if possible. |
Sorry I didn't try before you shipped, but this fix broke code that has worked in every version of jQuery since probably 1.4 (including 2.0.0 with migrate plugin 1.1.1). I tried to come up with a reduced case but in the time I was able to spend couldn't reproduce it (it actually seemed to work in a stand alone test case but fails for me in my real use case every time) so I am not going to go ahead and open a bug report. What I find is that I am now getting an error on line 223 of jQuery-migrate-1.2.0.js
|
Yeah, I oversimplified the regex. The If you are getting that from a third party you should be using |
Opened gh-38. |
I have a proof-of-concept of an outstanding jquery-migrate exploit in this vein. I can't find an appropriate place to report it privately - how do you all prefer to do that? Please feel free to hit me at cheald at gmail directly. Thanks! |
the issue still remains in v1.2.1 |
@t-ashula The response was that this is working as intended. See my writeup here: https://www.coffeepowered.net/2013/08/26/jquery-migrate-xss/ |
Many thanks to the blogger who announced a 0-day without giving us a heads-up courtesy. But that's what 0-days are all about I suppose. Link broken intentionally.
blog.mindedsecurity.com/2013/04/jquery-migrate-is-sink-too.html
The text was updated successfully, but these errors were encountered: