Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address CVE-2014-4671 (JSONP Flash exploit) #16109

merged 1 commit into from Jul 10, 2014


Copy link

@gcampbell gcampbell commented Jul 9, 2014

Adds a comment before JSONP callbacks. See
the reporter's blog post and the CVE for more information on the vulnerability.

Adds a comment before JSONP callbacks. See for more
details on the exploit in question.
Copy link

@chancancode chancancode commented Jul 9, 2014

👍 @tenderlove @rafaelfranca ?

Copy link

@chancancode chancancode commented Jul 9, 2014

(I believe this requires #16026 to work correctly in all cases, which is only in master afaik)

Copy link

@tenderlove tenderlove commented Jul 10, 2014

LGTM, I'll merge it.

@tenderlove tenderlove merged commit 4003a5b into rails:master Jul 10, 2014
1 check failed
mehlah pushed a commit to mehlah/active_model_serializers that referenced this issue Mar 30, 2015
Since Rails 4.0.10, it prepends a JS comment to JSONP callbacks,
to address CVE-2014-4671.
Introduced in Rails at rails/rails#16109
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants