In #2916 we removed our logic that lowercased attribute names. This caused one regression: any attribute getter using a name for boolean attributes but not all lowercased is going into an infinite recursion, exceeding the stack call limit.
Amongst others, this is breaking the AngularJS test suite when tested with jQuery 3.0.0-rc1.
https://jsfiddle.net/shnann6y/2/
Basically, $('<div>').attr('requiRed') is enough to trigger the error.
PR: #3134.
We can discuss but I'm changing the milestone to 3.0.0 for now as it breaks the Angular test suite.
CVE-2016-10707 was assigned to track this issue.
@anarcat The CVE is incorrect. There is no stable jQuery version that suffers from this issue. The regression happened in preparation for jQuery 3.0.0 and it was fixed before 3.0.0 was released.
@mgol well, i based the CVE on the Snyk database which says "versions <3.0.0 >=2.1.0-beta1". i'm not sure I parsed those version numbers right, but i read that as releases after 2.1 (e.g. 2.2.2) being vulnerable.
i'd be happy to clarify the description in the CVE, once we have a better idea of what's going on here..
do you want to submit an update to the CVE or should i?
I've never submitted an update to a CVE before. :) Feel free to do it.
The range in the database is incorrect, the only affected version is 3.0.0-rc.1. Both the earlier 2.1.x, 2.2.x & 3.0.0-beta1 and the later 3.0.0 don't exhibit the issue.
Are CVEs assigned for bugs existing in pre-release versions? If so, the range should be changed to =3.0.0-rc.1.
acknowledged, i'll carry that over to mitre. i'm not sure this should have been marked as vulnerability in Snyke, and therefore in Mitre. i should have done my homework better but, arguably, there wasn't much information available to begin with, without digging deep in the source code. :)
For what it's worth, I requested a CVE through this form. I strongly encourage security researchers and upstream project to systematically request CVE assignments when discovering and/or releasing security issues. It makes tracking much easier across the ecosystem, from the upstream vendors down to all the downstream distributors and linux distros.
Thanks!
Most helpful comment
acknowledged, i'll carry that over to mitre. i'm not sure this should have been marked as vulnerability in Snyke, and therefore in Mitre. i should have done my homework better but, arguably, there wasn't much information available to begin with, without digging deep in the source code. :)
For what it's worth, I requested a CVE through this form. I strongly encourage security researchers and upstream project to systematically request CVE assignments when discovering and/or releasing security issues. It makes tracking much easier across the ecosystem, from the upstream vendors down to all the downstream distributors and linux distros.
Thanks!