-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
uglify -c changes behavior of mdast code #751
Comments
I fixed this in mdast (syntax-tree/mdast@1a4fc46), but I’m not sure that this was really my error. It was basically a long list of logical AND-operators, followed by an expression which I needed the value of ( |
This looks like a bug. Thanks for the test repo, it helped isolating the problem. The simplest test case appears to be: match = !x &&
(!z || c) &&
(!k || d) &&
the_stuff(); compresses to: match = !(x || z && !c || k && !d || !the_stuff()); which obviously loses the value returned from |
Fix pushed. |
👍 awesome, thank you! |
I also published v2.4.24 to npm, since the issue appears to be pretty serious. |
Requested a CVE assignment in http://seclists.org/oss-sec/2015/q3/351 |
I'm the author of the blog post @reedloden linked above - just wanted to clarify a couple things:
|
Update grunt-contrib-uglify dependency to v0.9.2 in order to fix security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/
Update grunt-contrib-uglify dependency to v0.9.2 in order to fix security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/
Definitely. Most of the stuff that can bite you is behind |
Based on the recommendations of [bundler-audit]: ``` ruby-advisory-db: 227 advisories Name: uglifier Version: 2.7.0 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://rubygems.org/gems/bundler-audit
Resolves advisory 126747 mishoo/UglifyJS#751
Update grunt-contrib-uglify dependency to v0.9.2 in order to avoid a security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/ Closes gh-2556
Update grunt-contrib-uglify dependency to v0.9.2 in order to avoid a security issue fixed in uglify-js v2.4.24. mishoo/UglifyJS#751 https://zyan.scripts.mit.edu/blog/backdooring-js/ (cherry-picked from 835e921) Closes gh-2556
``` Name: uglifier Version: 2.7.1 Advisory: 126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 ```
Problem: [bundler-audit] returned this security warning: ``` Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up-to-date. ruby-advisory-db: 230 advisories Name: uglifier Version: 2.7.1 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://github.com/rubysec/bundler-audit Solution: Upgrade `bundle update uglifier`
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Based on the recommendations of [bundler-audit]: ``` ruby-advisory-db: 227 advisories Name: uglifier Version: 2.7.0 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://rubygems.org/gems/bundler-audit
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Update gem uglifier to >= 2.7.2 to address security alert for affected versions prior to 2.7.2 Sources: lautis/uglifier#86 https://zyan.scripts.mit.edu/blog/backdooring-js/ https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons mishoo/UglifyJS#751
Based on the recommendations of [bundler-audit]: ``` ruby-advisory-db: 227 advisories Name: uglifier Version: 2.7.0 Advisory: OSVDB-126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Unpatched versions found! ``` [bundler-audit]: https://rubygems.org/gems/bundler-audit
I've created a repo to reproduce this bug: https://github.com/tmcw/mdast-uglify-bug
For the mdast markdown library, the source succeeds when not uglified, and then, passed through
uglify -c
, its behavior changes and it breaks.I'm trying to dig through the source, passed through
uglify -c
and thenuglify -b
, in order to track down the cause. It's quite a doozyThe text was updated successfully, but these errors were encountered: