/ 
Stardust-0.08
River stage zero No dependents
/ Stardust
Security Advisories (9)
CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

Stardust - the simplest COMET server I could imagine

SYNOPSIS

Installing Stardust:

$ sudo cpan Stardust

Running the COMET server on port 5555:

$ stardust.pl --port=5555 --base=/comet

Making pages subscribe to channel 'foo':

<script>
  var uniqueId = Math.random().toString();
  $.ev.loop('/comet/channel/foo/'+uniqueId, {
    "*": function(ev) {
    }
  });
</script>

Posting JSON messages to channel 'foo':

curl -d 'm={ "type": "TestMessage", "data": [3, 2, 1] }' \
  http://localhost:5555/comet/channel/foo

DESCRIPTION

Stardust is a simple COMET server that can be integrated alongside existing web applications.

CONCEPTS

Message

Messages are just abritrary JSON objects.

Channel

Channels are where messages travel trough.

API

Communication with the Stardust COMET server uses JSON over HTTP. The following URLs represent your API.

GET /

This is just a little informational JSON-encoded data that tells you what version of the Stardust server you're using.

GET /channel

This returns a list of all the channel names currently in use as a JSON-encoded array of strings.

GET /channel/([\w+]+)

This returns info about the specified channels as a JSON-encoded array of objects.

POST /channel/([\w+]+)

This allows one to send a message to the specified channels.

Parameters:

m

an JSON-encoded object. This parameter may be repeated if you want to send more than one message per POST request.

GET /channel/([\w+]+)/stream/([.\d]+)

Long poll on this URL to receive a stream of messages as they become available. They will come back to you as a JSON-encoded array of objects.

CONFIGURATION

nginx static + stardust

upstream stardust_com_et {
  server 127.0.0.1:5742;
}

server {
  listen 80;
  server_name stardust.com.et;
  location / {
    root   /www/stardust.com.et;
    index  index.html index.htm;
  }
  location /comet {
    proxy_pass http://stardust_com_et;
  }
}

nginx fastcgi + stardust

TODO

nginx reverse proxy + stardust

TODO

apache2 static + stardust

<VirtualHost *:80>             
                               
  ServerName stardust.com.et
  DocumentRoot /www/stardust.com.et
  CustomLog logs/stardust.com.et-access_log combined
  ErrorLog  logs/stardust.com.et-error_log

  <Directory "/www/stardust.com.et">         
    Options Indexes FollowSymLinks  
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  ProxyRequests Off
  ProxyPass        /comet http://127.0.0.1:5742/comet
  ProxyPassReverse /comet http://127.0.0.1:5742/comet

</VirtualHost>

apache2 fastcgi + stardust

TODO

apache2 reverse proxy + stardust

TODO

SEE ALSO

GitHub Repository

http://github.com/beppu/stardust/tree/master

jQuery.ev

http://github.com/beppu/jquery-ev/tree/master

AnyEvent, Coro, Continuity

AnyEvent, Coro, Continuity

Squatting

Squatting

http://groups.google.com/group/squatting-framework

AUTHOR

John BEPPU <beppu@cpan.org>

SPECIAL THANKS

Thanks to Marc Lehmann for his work on AnyEvent and Coro.

Thanks to Brock Wilcox and Scott Walters for their work on Continuity.

COPYRIGHT

Copyright (c) 2009 John BEPPU <beppu@cpan.org>.

The "MIT" License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.