Skip to content
This repository was archived by the owner on Apr 20, 2023. It is now read-only.

Commit a3194d3

Browse files
committed
Fix for CVE-2014-1403
1 parent 7d79817 commit a3194d3

File tree

4 files changed

+14
-1
lines changed

4 files changed

+14
-1
lines changed

Diff for: build.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
<property file="build.secret.properties"/>
55
<property name="project.build.artifactdir" value="./artifacts/"/>
66
<property name="project.build.publishdir" value="./artifacts/"/>
7-
<property name="project.build.version" value="2.4.18"/>
7+
<property name="project.build.version" value="2.4.19"/>
88

99
<!-- Setup classpath for js-build-tools ant tasks -->
1010
<path id="js-build-tasks.classpath">

Diff for: src/Fn.js

+3
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@
5858
// #ifdef debug
5959
this._trace("retrieving function " + name);
6060
// #endif
61+
if (!_map.hasOwnProperty(name)) {
62+
return;
63+
}
6164
var fn = _map[name];
6265
// #ifdef debug
6366
if (!fn) {

Diff for: src/changes.html

+7
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,13 @@
55
</head>
66
<body>
77
<ul>
8+
<li>
9+
2.4.19 18.01.14
10+
<br/>
11+
Removed XSS vulnerability:
12+
<br/>
13+
- XSS due to lack of validation in name.html (CVE-2014-1403) - disclosed by Krzystof Kotowicz (Cure53)
14+
</li>
815
<li>
916
2.4.18 21.09.13
1017
<br/>

Diff for: src/name.html

+3
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@
2424
else {
2525
channel = hash.substring(0, indexOf);
2626
url = decodeURIComponent(hash.substring(indexOf + 1));
27+
if (url && !/https?:\/\//.test(url)) {
28+
throw new Error('Invalid url');
29+
}
2730
}
2831
switch (location.hash.substring(2, 3)) {
2932
case "2":

0 commit comments

Comments
 (0)