Address CVE-2014-4671 (JSONP Flash exploit) #16109

Merged
merged 1 commit into from Jul 10, 2014

Conversation

Projects
None yet
3 participants
@gcampbell
Contributor

gcampbell commented Jul 9, 2014

Adds a comment before JSONP callbacks. See
the reporter's blog post and the CVE for more information on the vulnerability.

Address CVE-2014-4671 (JSONP Flash exploit)
Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.
@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode

chancancode Jul 9, 2014

Member

(I believe this requires #16026 to work correctly in all cases, which is only in master afaik)

Member

chancancode commented Jul 9, 2014

(I believe this requires #16026 to work correctly in all cases, which is only in master afaik)

@tenderlove

This comment has been minimized.

Show comment
Hide comment
@tenderlove

tenderlove Jul 10, 2014

Member

LGTM, I'll merge it.

Member

tenderlove commented Jul 10, 2014

LGTM, I'll merge it.

@tenderlove tenderlove merged commit 4003a5b into rails:master Jul 10, 2014

1 check failed

continuous-integration/travis-ci The Travis CI build could not complete due to an error
Details

mehlah pushed a commit to mehlah/active_model_serializers that referenced this pull request Mar 30, 2015

Mehdi Lahmam
Fix the failing `test_render_json_with_callback`
Since Rails 4.0.10, it prepends a JS comment to JSONP callbacks,
to address CVE-2014-4671.
Introduced in Rails at rails/rails#16109

@mehlah mehlah referenced this pull request in rails-api/active_model_serializers Mar 30, 2015

Closed

Fix the failing `test_render_json_with_callback` #866

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment