Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address CVE-2014-4671 (JSONP Flash exploit) #16109

Merged
merged 1 commit into from Jul 10, 2014

Conversation

@gcampbell
Copy link
Contributor

gcampbell commented Jul 9, 2014

Adds a comment before JSONP callbacks. See
the reporter's blog post and the CVE for more information on the vulnerability.

Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.
@chancancode
Copy link
Member

chancancode commented Jul 9, 2014

@chancancode
Copy link
Member

chancancode commented Jul 9, 2014

(I believe this requires #16026 to work correctly in all cases, which is only in master afaik)

@tenderlove
Copy link
Member

tenderlove commented Jul 10, 2014

LGTM, I'll merge it.

@tenderlove tenderlove merged commit 4003a5b into rails:master Jul 10, 2014
1 check failed
1 check failed
continuous-integration/travis-ci The Travis CI build could not complete due to an error
Details
mehlah pushed a commit to mehlah/active_model_serializers that referenced this pull request Mar 30, 2015
Since Rails 4.0.10, it prepends a JS comment to JSONP callbacks,
to address CVE-2014-4671.
Introduced in Rails at rails/rails#16109
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.