jquery / CVE-2020-7656
This appears to be a vulnerability in that the "load()" function will
not correctly filter out javascript from loaded HTML.
https://snyk.io/vuln/SNYK-JS-JQUERY-569619
As per was supposedly fixed in the following commit:
https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a
NOTE: 20200606: This was fixed upstream in a set of wider changes
NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific
dlaneeded.txt
The relevant line that has been changed is this one.
https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a#diff-c3749d3acba09ca9ec16bb56e496408bR177
Before (if selector set):
rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
jQuery("<div>")
.append( responseText.replace( rscript, "" ) )
.find( selector ) :
Before (if selector not set):
responseText is used as is.
After (if selector set):
jQuery("<div>").append( jQuery.parseHTML( responseText ) ).find( selector ) :
After (if selector not set):
responseText is used as is.
OK, so for the case where selector is set, we now call parseHTML instead
of replacing the text. Presumable this fixes the problem. But this
function not available in the Jessie version.
But even more importantly, it looks like to me that if selector was not
given, we don't do any filtering of JavaScript if a selector is not
provided. Even in the latest version of master.
https://github.com/jquery/jquery/blob/master/src/ajax/load.js#L58
Does this mean the security bug is not sufficiently fixed? Or do we only
need to filter out javascript if a selector is provided for some reason?
I am also a bit puzzled, I would have expected a function called load()
would load JavaScript, and if you add it to the DOM as per the example,
I would expect it to be executed.
https://snyk.io/vuln/SNYK-JS-JQUERY-569619
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: