retire.js icon indicating copy to clipboard operation
retire.js copied to clipboard

Published 20 hours ago verified publisher icon RetireJS

Add support for jQuery File Upload plugin, if possible

Open arthurakay opened this issue 5 years ago • 5 comments

This isn't a bug, so much as a feature request.

Per this article, the jQuery-File-Upload plugin has a critical zero-day exploit... so highlighting that in RetireJS seems like a valuable addition.

I may try to issue a PR if I have time this coming week, but if anyone else is more familiar with this plugin feel free to tackle it (since I'm not familiar with it).

arthurakay avatar Oct 19 '18 13:10 arthurakay

Thanks.

Unfortunately the source code doesn't have any version indicators in them, so this is a bit of a tough one...

eoftedal avatar Oct 19 '18 17:10 eoftedal

Ugh, you're right. Then again, the vulnerability itself is in one of the PHP files, so a version number on the JS file may-or-may-not even really be accurate.

https://github.com/blueimp/jQuery-File-Upload/pull/3514

Is it worth just sniffing the comment at the top of the file and flagging all uses of the library as potentially vulnerable? I don't know how comfortable you are in pointing the finger under all circumstances... then again it's a pretty critical flaw.

arthurakay avatar Oct 19 '18 17:10 arthurakay

Maybe you can post a comment to; https://github.com/blueimp/jQuery-File-Upload asking him to start adding version indicators? If that is a 'normal' thing to do for JavaScript libs?

davewichers avatar Oct 25 '18 16:10 davewichers

@davewichers They seems to have disabled the issue tracker on that project...

eoftedal avatar Oct 25 '18 17:10 eoftedal

Per: https://blueimp.net/ - "Friendly email welcome at [email protected]" (the maintainer of the project).

davewichers avatar Oct 25 '18 19:10 davewichers