Boolean attribute getters throw if the attribute name is not all lowercase #3133
Comments
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916
|
PR: #3134. |
|
We can discuss but I'm changing the milestone to 3.0.0 for now as it breaks the Angular test suite. |
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916 Closes jquerygh-3134
|
CVE-2016-10707 was assigned to track this issue. |
|
@anarcat The CVE is incorrect. There is no stable jQuery version that suffers from this issue. The regression happened in preparation for jQuery 3.0.0 and it was fixed before 3.0.0 was released. |
|
@mgol well, i based the CVE on the Snyk database which says "versions <3.0.0 >=2.1.0-beta1". i'm not sure I parsed those version numbers right, but i read that as releases after 2.1 (e.g. 2.2.2) being vulnerable. i'd be happy to clarify the description in the CVE, once we have a better idea of what's going on here.. do you want to submit an update to the CVE or should i? |
|
I've never submitted an update to a CVE before. :) Feel free to do it. The range in the database is incorrect, the only affected version is Are CVEs assigned for bugs existing in pre-release versions? If so, the range should be changed to |
|
acknowledged, i'll carry that over to mitre. i'm not sure this should have been marked as vulnerability in Snyke, and therefore in Mitre. i should have done my homework better but, arguably, there wasn't much information available to begin with, without digging deep in the source code. :) For what it's worth, I requested a CVE through this form. I strongly encourage security researchers and upstream project to systematically request CVE assignments when discovering and/or releasing security issues. It makes tracking much easier across the ecosystem, from the upstream vendors down to all the downstream distributors and linux distros. Thanks! |
Attribute hooks are determined for the lowercase versions of attribute names but this has not been reflected in the bool attribute hooks. The code that temporarily removed a handler to avoid an infinite loop was removing an incorrect handler causing stack overflow. Fixes jquerygh-3133 Refs jquerygh-2914 Refs jquerygh-2916 Closes jquerygh-3134
Description
In #2916 we removed our logic that lowercased attribute names. This caused one regression: any attribute getter using a name for boolean attributes but not all lowercased is going into an infinite recursion, exceeding the stack call limit.
Amongst others, this is breaking the AngularJS test suite when tested with jQuery 3.0.0-rc1.
Link to test case
https://jsfiddle.net/shnann6y/2/
Basically,
$('<div>').attr('requiRed')is enough to trigger the error.The text was updated successfully, but these errors were encountered: