ownCloud brought this to my intention (they use it, I'm guessing other people use it as well. https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d Please use CVE-2013-1942 for this issue. The only contact info I can find is hello () happyworm com for upstream. 8 8 * - http://www.gnu.org/copyleft/gpl.html 9 9 * 10 10 * Author: Mark J Panaghiston 11 - * Version: 2.2.19 12 - * Date: 29th January 2013 11 + * Version: 2.2.20 12 + * Date: 21st March 2013 13 13 * 14 14 * FlashVars expected: (AS3 property of: loaderInfo.parameters) 15 15 * id: (URL Encoded: String) Id of jPlayer instance ... ... @@ -70,7 +70,7 @@ package { 70 70 private var isVideo:Boolean = false; 71 71 72 72 private var securityIssue:Boolean = false; // When SWF parameters contain illegal characters 73 - private var directAccess:Boolean = false; // When SWF visited directly with no parameters 73 + private var directAccess:Boolean = false; // When SWF visited directly with no parameters (or when security issue detected) 74 74 75 75 private var txLog:TextField; 76 76 private var debug:Boolean = false; // Set debug to false for release compile! ... ... @@ -233,12 +233,12 @@ package { 233 233 } 234 234 i++; 235 235 } 236 - if(i === 0) { 236 + if(i === 0 || securityIssue) { 237 237 directAccess = true; 238 238 } 239 239 } 240 240 private function illegalChar(s:String):Boolean { 241 - var illegals:String = "' \" ( ) { } * + /"; 241 + var illegals:String = "' \" ( ) { } * + / \\ < > = document"; 242 242 if(Boolean(s)) { // Otherwise exception if parameter null. 243 243 for each (var illegal:String in illegals.split(' ')) { 244 244 if(s.indexOf(illegal) >= 0) {