From cb87a0d8547961ae12d9959933717a2aaf49c88a Mon Sep 17 00:00:00 2001
From: Gregor Schmidt <schmidt@nach-vorne.eu>
Date: Tue, 30 Jan 2018 11:28:02 +0100
Subject: [PATCH] Don't eval cross-origin requests in jQuery #26857

This addresses the vulnerability disclosed in https://github.com/jquery/jquery/issues/2432. When issues cross-domain requests, jQuery is eval'ing the result if it's mime type is 'text/javascript'. By default Redmine does not load external resources but plugins may do so, depending on the security of the available jQuery version.

This prefilter disables the dangerous behaviour by default.
---
 public/javascripts/application.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index b6352fd2a..3890468b0 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -1,6 +1,12 @@
 /* Redmine - project management software
    Copyright (C) 2006-2017  Jean-Philippe Lang */
 
+$.ajaxPrefilter(function (s) {
+  if (s.crossDomain) {
+    s.contents.script = false;
+  }
+});
+
 function checkAll(id, checked) {
   $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked);
 }
-- 
2.14.1