Road to source code analysys master 2【jQuery CVE-2012-6708】

Last time

www.nicksecuritylog.com

source

CVE

www.cvedetails.com



github

github.com



research

flow

  • event
  • fix place
  • test
  • cause

event

selector interpreted as HTML

bugs.jquery.com



fix place

before

rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,

f:id:NickShadows:20190924214412p:plain



after

rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

f:id:NickShadows:20190924214528p:plain



before : rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
after  : rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,

test

before
use code
f:id:NickShadows:20190925222526p:plain



act
f:id:NickShadows:20190925222656p:plain



after
use code
f:id:NickShadows:20190925222805p:plain



act
f:id:NickShadows:20190925222902p:plain



task

  1. Why fixed this ?

  2. How attack this ?

  3. How does this change change the behavior?