Search jQuery

jQuery Forum

Developing jQuery Core

Mikedelic

jquery.cookie.js triggers default Apache mod_security rules

Not a problem

Need more info
Not a problem
Temporary fix
Analyzing
Working on it
Solved

in Developing jQuery Core • 8 years ago

"jquery.cookie.js triggers default Apache mod_security rules"

I believe this issue almost doesn't need any introduction anymore since it exists for quite a while now (> 1 year). If not, Google for it. It amazes me that the developers from jquery do not pick this up and just change their filenames to follow up on indirect advice from the default mod_sec rules. Personally, I get the impression that the developers do not take cross-side scripting and security seriously. Which I dare to doubt so hard working developers: do not feel offended by this message. It is meant as an advice.

This issue can simply be fixed by changing the filename jquery.cookie.js to jquery_cookie.js or jquery-cookie.js. That's all!

jQuery cannot expect that everybody has to change this themselves since it should come out-of-the-box. Now hosting providers, like me, have to adjust the default mod_sec rules and create a security hole because the core developers refuse to follow these rules. I believe this is world upside-down and I think the assumption can be made that the creators of those mod security rules know what they are doing. Besides the fact that it is asking for trouble to use more than one period in your filenames... obviously.

So my request is, and I am sure all jquery users will agree on this, please change the filenames.

Replies(9)

jsclark

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

jquery.cookie.js is a plugin, not part of the jQuery core library. This is something you'd need to take up with the author/maintainer of that plugin, not with the core team. It looks to be maintained here: https://github.com/carhartl/jquery-cookie. Having said that, the standard naming convention for jQuery plugins is jquery.pluginname.js, so I find it unlikely that the name will be changed.

Mikedelic

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

Thank you for the reply. I really do appreciate the effort. However, from a developers perspective, your message is exactly what I expected.

First you say this issue must be addressed to the plugin developers and then you point out the fact that the naming convention is the coding standard used. This is defensive behavior. In other words, jQuery knows there is a issue with the coding standard which creates a security hole and refuse to even consider changing it. The plugin developers are just following the coding standards. So, the core must be fixed and after that the plugin. Let's imagine that wheels were originally made square and the creator just ignores the fact that a round wheel is must more effective. Where would we be now?

So, in my opinion this simply means jQuery is not secure enough to use because of a XXS hole that will never be fixed. And users that have no clue what is going on in the hacking world just keep on implementing insecure code. That's nice information for the hackers in the world! Great point of view. Obviously, I sincerely disagree with your answer.

My advice, leave this thread open for discussion the coming months and see what other users have to say about this. That is the only fair thing to do here. I made my point.

dave.meth..

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

@Mikedelic, we do not own the plugin. Contact the plugin creator or (if the license allows) fork it to your own repo and do whatever you'd like with it.

> So, in my opinion this simply means jQuery is not secure enough to use because of a XXS hole that will never be fixed.

What are you talking about? I am not sure whether to ignore you or ask you to explain.

jakecigar

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

I googled around and read many threads about "jquery.cookie.js triggers default Apache mod_security rules".

The problem is not with mod_security or jQuery or any particular script. It is a problem with a regular expression that is falsely matching any script with cookie in the title.

[#CORERULES-29] File with .cookie in the name are blocked - ModSecurity

[#CORERULES-31] Request Clarification - ModSecurity

JΛ̊KE

Mikedelic

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

Before I reply I will include a message from jsclark that was posted here but somehow "disapeared":

----------

jsclark has made a reply to the forum post/topic jquery.cookie.js triggers default Apache mod_security rules

The message has been included below.

----------------------------------------
I'm not affiliated with the core team in any way and didn't mean for my post to come off that way, I just happened to see your post and felt it was worth commenting on. Having said that, IMHO, this is not a problem with the plugin naming convention as a whole, but is rather just an unfortunate name for a popular plugin, paired with a seemingly heavy-handed default rule in Apache. Remember, we're not talking about coding standards here or any sort of insecure code, we're talking about filenames, nothing more. I can't stress this enough: This is not an XSS vulnerability in jQuery.

Now, there is obviously a security concern with serving up actual cookie files; I completely understand the purpose of the Apache rule and I can empathize with your frustration as a sysadmin. But the fact that one plugin out of thousands is named in such a way that it triggers this rule doesn't seem like sufficient justification to change the naming scheme of a large ecosystem of existing plugins. I still feel like it's the responsibility of the plugin maintainer to name (or rename) their plugins appropriately or to at least make their users aware of a possible compatibility problem. I just don't think it's the responsibility of the jQuery team to alter an existing naming convention so that no plugin name could ever be unintentionally filtered by a webserver. It's just not practical. Now, adding a stipulation of: "Don't use '.cookie' as part of a module name, as it can cause issues with Apache." seems perfectly reasonable.

Again, I'm not claiming to speak for the core team in away way, just my 2 cents.

----------

Mikedelic

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

First of all my apologies for coming of so harsh.

jsclark is right on some points. That is why I reposted his comments. Yes, it is frustrating as a sysadmin to have tons of customers complaining their open source scripts are not working because of a disagreement between jQuery and Mod Security. This should NOT be the problem of any of the users in general (clients and sysadmins). It should be of concern at jQuery and Mod Security development.

@dave:

"Contact the plugin creator"

First, I agree with the comment from jsclark:

"adding a stipulation of: "Don't use '.cookie' as part of a module name, as it can cause issues with Apache." seems perfectly reasonable." That could work.

Second, I can contact the plugin creator, but in my eyes this is caused by jQuery. Plugin or not, I do not see the difference. The plugin developers are just following the coding standards provided by jQuery core. I suggest to follow up on the comment of jsclark and let the jQuery core team take this up with the plugin developers telling them they shouldn't use .cookie in their filename. I believe this is much more effective.

@dave:

"or (if the license allows) fork it to your own repo and do whatever you'd like with it."

Sorry? I am not talking about "my own repo". I am talking about 3rd party scripts blindly using jQuery in their code. It is impossible to ask all customers to update their script because the core doesn't want to come up with a generic solution. I am just trying to push the responsibility back to where it belongs: at the core developers.

@jakecigar:

"The problem is not with mod_security or jQuery or any particular script. It is a problem with a regular expression that is falsely matching any script with cookie in the title."

Ok, and how do you know this rule is invalid? Because it is mentioned in those "old" threads? The threads are posted in 2010 and apparently the "issue" still exists in 2013. So, the default rule set contains a false rule for 3 years. This can be, but I find that hard to believe.

The point if it is a valid rule or not is not to decide by the users. Most of them can't know for sure anyway. That is something for jQuery and Mod Security to figure out. If it is valid then jQuery should come up with a solution. If it is invalid then Mod Security must follow up. Only together they can get a final statement on this matter. Doesn't seem like a difficult thing to do.

I do not ask any developer to change something. I'm just making this point to create awareness. I do also believe this is not an issue that I or any user of these products should solve. This is an issue between jQuery and Mod Security and all I am asking is to get those two teams together and finally try to solve this issue once and for all for everybody in the world. Seems like a fair thing to do, right?

Remember, I mean no harm and again my apologies if I offended anybody

dave.meth..

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

Okay, let me ask the question a different way.

You are posting some sort of request that the jQuery Core team do something. What is it that you are requesting? Please keep your answer short.

Mikedelic

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

I am asking to get the jQuery and Mod Security teams together and determine if the .cookie rule is valid or invalid:

If valid jQuery should add a stipulation: "Don't use '.cookie' as part of a module name, as it can cause issues with Apache Mod Security" and inform the plug-in crew about this. And of course assure the rule is fulfilled.
If invalid Mod Security should make adjustments to their default rule set based on the discussion between jQuery and Mod Security.

dave.meth..

Re: jquery.cookie.js triggers default Apache mod_security rules

8 years ago

None of this involves the jQuery Core team, they don't need to "get together" with us to decide to rename files or change their security model. We don't control file names. Users can name their files any way they'd like and whichever way works best with their servers. There is no "plug-in crew", just a bunch of independent developers who do whatever they want.

Top Reply

Response title

Attachments

jQuery Forum

jquery.cookie.js triggers default Apache mod_security rules

Not a problem

Replies(9)

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Re: jquery.cookie.js triggers default Apache mod_security rules

Statistics

Tags

Actions