lukechilds
/
react.dev
mirror of https://github.com/lukechilds/react.dev.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

16.4.2 blog post

main
Dan Abramov 7 years ago
parent
3155dffae3
commit
c32884da5f
2 changed files with 149 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 148
      content/blog/2018-08-01-react-v-16-4-2.md
  2. 2
      src/site-constants.js

148
content/blog/2018-08-01-react-v-16-4-2.md
View File

@ -0,0 +1,148 @@
---
title: "React v16.4.2: Server-side vulnerability fix"
author: [gaearon]
---
We discovered a minor vulnerability that might affect some apps using ReactDOMServer. We are releasing a patch version for every affected React minor release so that you can upgrade with no friction. Read on for more details.
## Short Description
Today, we are releasing a fix for a vulnerability we discovered in the `react-dom/server` implementation. It was introduced with the version 16.0.0 and has existed in all subsequent releases until today.
This vulnerability **can only affect some server-rendered React apps.** Purely client-rendered apps are **not** affected. Additionally, we expect that most server-rendered apps don't contain the vulnerable pattern described below. Nevertheless, we recommend to follow the mitigation instructions at the earliest opportunity.
While we were investigating this vulnerability, we found similar vulnerabilities in a few other popular front-end libraries. We have coordinated this release together with Vue and Preact releases fixing the same issue. The tracking number for this vulnerability is `CVE-2018-6341`.
## Mitigation
**We have prepared a patch release with a fix for every affected minor version.**
### 16.0.x
If you're using `react-dom/server` with this version:
- `react-dom@16.0.0`
Update to this version instead:
- `react-dom@16.0.1` **(contains the mitigation)**
### 16.1.x
If you're using `react-dom/server` with one of these versions:
- `react-dom@16.1.0`
- `react-dom@16.1.1`
Update to this version instead:
- `react-dom@16.1.2` **(contains the mitigation)**
### 16.2.x
If you're using `react-dom/server` with this version:
- `react-dom@16.2.0`
Update to this version instead:
- `react-dom@16.2.1` **(contains the mitigation)**
### 16.3.x
If you're using `react-dom/server` with one of these versions:
- `react-dom@16.3.0`
- `react-dom@16.3.1`
- `react-dom@16.3.2`
Update to this version instead:
- `react-dom@16.3.3` **(contains the mitigation)**
### 16.4.x
If you're using `react-dom/server` with one of these versions:
- `react-dom@16.4.0`
- `react-dom@16.4.1`
Update to this version instead:
- `react-dom@16.4.2` **(contains the mitigation)**
If you're using a newer version of `react-dom`, no action is required.
Note that only the `react-dom` package needs to be updated.
## Detailed Description
Your app might be affected by this vulnerability only if these two conditions are true:
* Your app is **being rendered to HTML using [ReactDOMServer API](/docs/react-dom-server.html)**.
* Your app **includes a user-supplied attribute name in an HTML tag.**
Specifically, the vulnerable pattern looks like this:
```js{2}
let props = {};
props[userProvidedData] = "hello";
let element = <div {...props} />;
let html = ReactDOMServer.renderToString(element);
```
In order to exploit it, the attacker would need to craft a special attribute name that triggers an [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) vulnerability. For example:
```js
let userProvidedData = '></div><script>alert("hi")</script>';
```
In the vulnerable versions of `react-dom/server`, the output would let the attacker inject arbitrary markup:
```html
<div ></div><script>alert("hi")</script>
```
In the versions after the vulnerability was [fixed](https://github.com/facebook/react/pull/13302) (and before it was introduced), attributes with invalid names are skipped:
```html
<div></div>
```
You would also see a warning about an invalid attribute name.
Note that **we expect attribute names based on user input to be very rare in practice.** It doesn't serve any common practical use case, and has other potential security implications that React can't guard against.
## Installation
React v16.4.2 is available on the npm registry.
To install React 16 with Yarn, run:
```bash
yarn add react@^16.4.2 react-dom@^16.4.2
```
To install React 16 with npm, run:
```bash
npm install --save react@^16.4.2 react-dom@^16.4.2
```
We also provide UMD builds of React via a CDN:
```html
<script crossorigin src="https://unpkg.com/react@16/umd/react.production.min.js"></script>
<script crossorigin src="https://unpkg.com/react-dom@16/umd/react-dom.production.min.js"></script>
```
Refer to the documentation for [detailed installation instructions](/docs/installation.html).
## Changelog
### React DOM Server
* Fix a potential XSS vulnerability when the attacker controls an attribute name (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
* Fix a crash in the server renderer when an attribute is called `hasOwnProperty`. This fix is only available in `react-dom@16.4.2`. ([@gaearon](https://github.com/gaearon) in [#13303](https://github.com/facebook/react/pull/13303))

2
src/site-constants.js
View File

@ -8,7 +8,7 @@
// NOTE: We can't just use `location.toString()` because when we are rendering
// the SSR part in node.js we won't have a proper location.
const urlRoot = 'https://reactjs.org';
const version = '16.4.1';
const version = '16.4.2';
const babelURL = '//unpkg.com/babel-standalone@6.26.0/babel.min.js';
export {urlRoot, version, babelURL};

Write Preview
Loading…
Cancel
Save