From 11ad7bc5211b02aad131ae9d009ced2164f4b975 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Wed, 25 Mar 2015 17:36:17 -0300 Subject: [PATCH] Upgrade jquery-ujs to do proper checks for cross domain requests Fix CVE-2015-1840 --- vendor/assets/javascripts/jquery_ujs.js | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/vendor/assets/javascripts/jquery_ujs.js b/vendor/assets/javascripts/jquery_ujs.js index a4fb0be..1ee8859 100644 --- a/vendor/assets/javascripts/jquery_ujs.js +++ b/vendor/assets/javascripts/jquery_ujs.js @@ -86,16 +86,14 @@ // Default way to get an element's href. May be overridden at $.rails.href. href: function(element) { - return element.attr('href'); + return element[0].href; }, // Submits "remote" forms and links with ajax handleRemote: function(element) { - var method, url, data, elCrossDomain, crossDomain, withCredentials, dataType, options; + var method, url, data, withCredentials, dataType, options; if (rails.fire(element, 'ajax:before')) { - elCrossDomain = element.data('cross-domain'); - crossDomain = elCrossDomain === undefined ? null : elCrossDomain; withCredentials = element.data('with-credentials') || null; dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType); @@ -147,7 +145,7 @@ error: function(xhr, status, error) { element.trigger('ajax:error', [xhr, status, error]); }, - crossDomain: crossDomain + crossDomain: rails.isCrossDomain(url) }; // There is no withCredentials for IE6-8 when @@ -167,6 +165,27 @@ } }, + // Determines if the request is a cross domain request. + isCrossDomain: function(url) { + var originAnchor = document.createElement("a"); + originAnchor.href = location.href; + var urlAnchor = document.createElement("a"); + + try { + urlAnchor.href = url; + // This is a workaround to a IE bug. + urlAnchor.href = urlAnchor.href; + + // Make sure that the browser parses the URL and that the protocols and hosts match. + return !urlAnchor.protocol || !urlAnchor.host || + (originAnchor.protocol + "//" + originAnchor.host !== + urlAnchor.protocol + "//" + urlAnchor.host); + } catch (e) { + // If there is an error parsing the URL, assume it is crossDomain. + return true; + } + }, + // Handles "data-method" on links such as: // Delete handleMethod: function(link) { @@ -178,7 +197,7 @@ form = $('
'), metadataInput = ''; - if (csrfParam !== undefined && csrfToken !== undefined) { + if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) { metadataInput += ''; } -- 2.3.1