Merge branch '3-1-2-sec' into 3-1-stable

rails · Jun 16, 2015 · d0be832 · d0be832
2 parents 135ba0f + ee1ed3c
commit d0be832
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.1.3 (16 June 2015)
+
+  - Fix CSP bypass vulnerability. CVE-2015-1840
+
 ## 3.1.2 (1 September 2014)
 
   - Updated to jquery-ujs 1.0.1

diff --git a/VERSIONS.md b/VERSIONS.md
@@ -2,6 +2,7 @@
 
 | Gem    | jQuery | jQuery UJS | jQuery UI |
 |--------|--------|------------| ----------|
+| 3.1.3  | 1.11.1 | 1.0.4      | -         |
 | 3.1.2  | 1.11.1 | 1.0.1      | -         |
 | 3.1.1  | 1.11.1 | 1.0.0      | -         |
 | 3.1.0  | 1.11.0 | -          | -         |

diff --git a/lib/jquery/rails/version.rb b/lib/jquery/rails/version.rb
@@ -1,7 +1,7 @@
 module Jquery
   module Rails
-    VERSION = "3.1.2"
+    VERSION = "3.1.3"
     JQUERY_VERSION = "1.11.1"
-    JQUERY_UJS_VERSION = "1.0.1"
+    JQUERY_UJS_VERSION = "1.0.4"
   end
 end
diff --git a/vendor/assets/javascripts/jquery_ujs.js b/vendor/assets/javascripts/jquery_ujs.js
@@ -86,16 +86,14 @@
 
     // Default way to get an element's href. May be overridden at $.rails.href.
     href: function(element) {
-      return element.attr('href');
+      return element[0].href;
     },
 
     // Submits "remote" forms and links with ajax
     handleRemote: function(element) {
-      var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options;
+      var method, url, data, withCredentials, dataType, options;
 
       if (rails.fire(element, 'ajax:before')) {
-        elCrossDomain = element.data('cross-domain');
-        crossDomain = elCrossDomain === undefined ? null : elCrossDomain;
         withCredentials = element.data('with-credentials') || null;
         dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);
 
@@ -147,7 +145,7 @@
           error: function(xhr, status, error) {
             element.trigger('ajax:error', [xhr, status, error]);
           },
-          crossDomain: crossDomain
+          crossDomain: rails.isCrossDomain(url)
         };
 
         // There is no withCredentials for IE6-8 when
@@ -167,6 +165,27 @@
       }
     },
 
+    // Determines if the request is a cross domain request.
+    isCrossDomain: function(url) {
+      var originAnchor = document.createElement("a");
+      originAnchor.href = location.href;
+      var urlAnchor = document.createElement("a");
+
+      try {
+        urlAnchor.href = url;
+        // This is a workaround to a IE bug.
+        urlAnchor.href = urlAnchor.href;
+
+        // Make sure that the browser parses the URL and that the protocols and hosts match.
+        return !urlAnchor.protocol || !urlAnchor.host ||
+          (originAnchor.protocol + "//" + originAnchor.host !==
+            urlAnchor.protocol + "//" + urlAnchor.host);
+      } catch (e) {
+        // If there is an error parsing the URL, assume it is crossDomain.
+        return true;
+      }
+    },
+
     // Handles "data-method" on links such as:
     // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
     handleMethod: function(link) {
@@ -178,7 +197,7 @@
         form = $('<form method="post" action="' + href + '"></form>'),
         metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
 
-      if (csrfParam !== undefined && csrfToken !== undefined) {
+      if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
         metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
       }