🔒️ fix CVE-2015-9251

Author: ctcpip

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "src/sizzle"]
 	path = src/sizzle
-	url = git://github.com/jquery/sizzle.git
+	url = https://github.com/jquery/sizzle.git
 [submodule "test/qunit"]
 	path = test/qunit
-	url = git://github.com/jquery/qunit.git
+	url = https://github.com/qunitjs/qunit.git

build/jslint-check.js

@@ -21,7 +21,7 @@ var e = JSLINT.errors, found = 0, w;
 for ( var i = 0; i < e.length; i++ ) {
 	w = e[i];
 
-	if ( !ok[ w.reason ] ) {
+	if ( w && !ok[ w.reason ] ) {
 		found++;
 		print( "\n" + w.evidence + "\n" );
 		print( "    Problem at line " + w.line + " character " + w.character + ": " + w.reason );

component.json

@@ -1,6 +1,6 @@
 {
   "name"        : "jquery",
-  "version"     : "1.6.4",
+  "version"     : "1.6.5-sec",
   "main"        : "./jquery.js",
   "dependencies": {
   }

jquery.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v1.6.4
+ * jQuery JavaScript Library v1.6.5-sec
  * http://jquery.com/
  *
  * Copyright 2011, John Resig
@@ -11,7 +11,7 @@
  * Copyright 2011, The Dojo Foundation
  * Released under the MIT, BSD, and GPL Licenses.
  *
- * Date: Mon Sep 12 18:54:48 2011 -0400
+ * Date: Wed Feb 12 09:58:38 2014 -0800
  */
 (function( window, undefined ) {
 
@@ -213,7 +213,7 @@ jQuery.fn = jQuery.prototype = {
 	selector: "",
 
 	// The current version of jQuery being used
-	jquery: "1.6.4",
+	jquery: "1.6.5-sec",
 
 	// The default length of a jQuery object is 0
 	length: 0,
@@ -7756,6 +7756,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
 
 
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {
@@ -9043,4 +9050,4 @@ jQuery.each([ "Height", "Width" ], function( i, name ) {
 
 // Expose jQuery to the global object
 window.jQuery = window.$ = jQuery;
-})(window);
+})(window);

src/ajax/script.js

@@ -1,5 +1,12 @@
 (function( jQuery ) {
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {

test/unit/ajax.js

@@ -70,6 +70,54 @@ test("jQuery.ajax() - success callbacks - (url, options) syntax", function() {
 	}, 13);
 });
 
+ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+	return {
+		create: function( options ) {
+			options.crossDomain = true;
+			return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+		},
+		success: function() {
+			assert.ok( true, "success" );
+		},
+		complete: function() {
+			assert.ok( true, "complete" );
+		}
+	};
+} );
+
+ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
+	function( assert ) {
+		return {
+			create: function( options ) {
+				options.crossDomain = true;
+				options.dataType = "script";
+				return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+			},
+			success: function() {
+				assert.ok( true, "success" );
+			},
+			complete: function() {
+				assert.ok( true, "complete" );
+			}
+		};
+	}
+);
+
+ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+	return {
+		create: function( options ) {
+			options.crossDomain = true;
+			return jQuery.ajax( url( "data/script.php" ), options );
+		},
+		success: function() {
+			assert.ok( true, "success" );
+		},
+		complete: function() {
+			assert.ok( true, "complete" );
+		}
+	};
+} );
+
 test("jQuery.ajax() - success callbacks (late binding)", function() {
 	expect( 8 );
 

version.txt

@@ -1 +1 @@
-1.6.4
+1.6.5-sec