Update to 2.2.4 and backport XSS patch (bz#1399550,bz#1399549)

8 years ago · cf7b28bdf5
parent 102b23bc0f
commit cf7b28bdf5
5 changed files with 114 additions and 19 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 /js-jquery-4dec426aa2a6cbabb1b064319ba7c272d594a688.tar.gz
 /js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
 /jquery-2.2.4.tar.gz
--- a/js-jquery-disable-gzip-js.patch
+++ b/js-jquery-disable-gzip-js.patch
@ -1,14 +1,11 @@
 diff --git a/Gruntfile.js b/Gruntfile.js
 index d1ad5d4..f1f1a28 100644
 --- a/Gruntfile.js
 +++ b/Gruntfile.js
-@@ -9,8 +9,7 @@ module.exports = function( grunt ) {
+@@ -13,7 +13,6 @@ module.exports = function( grunt ) {
 		return data;
 	}
-	var gzip = require( "gzip-js" ),
+ 	var fs = require( "fs" ),
-		srcHintOptions = readOptionalJSON( "src/.jshintrc" );
+ 		stripJSONComments = require( "strip-json-comments" ),
-+	var srcHintOptions = readOptionalJSON( "src/.jshintrc" );
+-		gzip = require( "gzip-js" ),
 		srcHintOptions = readOptionalJSON( "src/.jshintrc" ),
 		newNode = !/^v0/.test( process.version ),
 	// The concatenated file won't pass onevar
 	// But our modules can
--- a/js-jquery.spec
+++ b/js-jquery.spec
@ -1,9 +1,6 @@
 %global commit 8f2a9d9272d6ed7f32d3a484740ab342c02541e0
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 Name:           js-jquery
-Version:        2.1.3
+Version:        2.2.4
-Release:        3%{?dist}
+Release:        1%{?dist}
 Summary:        JavaScript DOM manipulation, event handling, and AJAX library
 BuildArch:      noarch
@ -12,11 +9,13 @@ BuildArch:      noarch
 %global ver_z %(echo %{version} | cut -d. -f3)
 License:        MIT     
-URL:            http://jquery.com/
+URL:            https://jquery.com/
-Source0:        https://github.com/jquery/jquery/archive/%{commit}/%{name}-%{commit}.tar.gz
+Source0:        https://github.com/jquery/jquery/archive/%{version}/jquery-%{version}.tar.gz
 # disable gzip-js during build
 Patch1:         %{name}-disable-gzip-js.patch
 # backport of XSS bug fix from upstream; upstream fixed in 3.0.0 and newer
 Patch2:         xss-fix-b078a62.patch
 BuildRequires:  web-assets-devel
 BuildRequires:  nodejs-packaging
@ -31,6 +30,8 @@ BuildRequires:  npm(grunt-cli)
 BuildRequires:  npm(grunt-contrib-uglify)
 BuildRequires:  npm(load-grunt-tasks)
 BuildRequires:  npm(requirejs)
 #BuildRequires:  npm(strip-json-comments) # won't work on epel7 branch
 BuildRequires:  nodejs-strip-json-comments
 Requires:       web-assets-filesystem
@ -42,8 +43,10 @@ browsers. With a combination of versatility and extensibility, jQuery has
 changed the way that millions of people write JavaScript.
 %prep
-%setup -qn jquery-%{commit}
+# autosetup doesn't work right on epel7 branch
 %setup -qn jquery-%{version}
 %patch1 -p1
 %patch2 -p1
 #remove precompiled stuff
 rm -rf dist/* src/sizzle
@ -79,10 +82,13 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}
 %files
 %{_jsdir}/jquery
 %{_webassetdir}/jquery
-%doc AUTHORS.txt CONTRIBUTING.md MIT-LICENSE.txt README.md
+%doc AUTHORS.txt CONTRIBUTING.md LICENSE.txt README.md
 %changelog
 * Tue Dec 20 2016 Christopher Tubbs <ctubbsii@fedoraproject.org> - 2.2.4-1
 - Update to 2.2.4 and backport XSS patch (bz#1399550,bz#1399549)
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
--- a/2
+++ b/2
@ -1 +1 @@
-eba3a924d520e1018b0cc1f0bdd2ffbc  js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
+SHA512 (jquery-2.2.4.tar.gz) = bd1176286451adeaa8c18eb98e01e8b91e45157f7263907772d637a2c15b8ac27b780be14983c4abcff5def668323beab9a6889d8da4beb6c2c06fae1f5bed1d
--- a/xss-fix-b078a62.patch
+++ b/xss-fix-b078a62.patch
@ -0,0 +1,91 @@
 From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001
 From: Oleg Gaidarenko <markelog@gmail.com>
 Date: Thu, 10 Sep 2015 13:40:00 +0300
 Subject: [PATCH] Ajax: Mitigate possible XSS vulnerability
 Proposed by @jaubourg
 Fixes gh-2432
 Closes gh-2588
 ---
 src/ajax/script.js |  7 +++++++
 test/unit/ajax.js  | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 0 deletion(-)
 diff --git a/src/ajax/script.js b/src/ajax/script.js
 index 60b1fb6..0ec27b4 100644
 --- a/src/ajax/script.js
 +++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
 	"../ajax"
 ], function( jQuery, document ) {
 +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
 +jQuery.ajaxPrefilter( function( s ) {
 +    if ( s.crossDomain ) {
 +        s.contents.script = false;
 +    }
 +} );
 +
 // Install script dataType
 jQuery.ajaxSetup( {
 	accepts: {
 diff --git a/test/unit/ajax.js b/test/unit/ajax.js
 index 14fe0be..6479587 100644
 --- a/test/unit/ajax.js
 +++ b/test/unit/ajax.js
@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
 		};
 	} );
 +	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
 +		return {
 +			create: function( options ) {
 +				options.crossDomain = true;
 +				return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
 +			},
 +			success: function() {
 +				assert.ok( true, "success" );
 +			},
 +			complete: function() {
 +				assert.ok( true, "complete" );
 +			}
 +		};
 +	} );
 +
 +	ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
 +		function( assert ) {
 +			return {
 +				create: function( options ) {
 +					options.crossDomain = true;
 +					options.dataType = "script";
 +					return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
 +				},
 +				success: function() {
 +					assert.ok( true, "success" );
 +				},
 +				complete: function() {
 +					assert.ok( true, "complete" );
 +				}
 +			};
 +		}
 +	);
 +
 +	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
 +		return {
 +			create: function( options ) {
 +				options.crossDomain = true;
 +				return jQuery.ajax( url( "data/script.php" ), options );
 +			},
 +			success: function() {
 +				assert.ok( true, "success" );
 +			},
 +			complete: function() {
 +				assert.ok( true, "complete" );
 +			}
 +		};
 +	} );
 +
 	ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
 		return {
 			setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),
`@ -1 +1 @@`
	`eba3a924d520e1018b0cc1f0bdd2ffbc js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz`	`SHA512 (jquery-2.2.4.tar.gz) = bd1176286451adeaa8c18eb98e01e8b91e45157f7263907772d637a2c15b8ac27b780be14983c4abcff5def668323beab9a6889d8da4beb6c2c06fae1f5bed1d`