From: csteipp <csteipp@wikimedia.org>
Date: Thu, 17 Jul 2014 20:24:56 +0000 (-0700)
Subject: SECURITY: Prepend jsonp callback with comment
X-Git-Tag: 1.31.0-rc.0~14662
X-Git-Url: http://git.cyclocoop.org/%24image?a=commitdiff_plain;h=fe32899523cf28708d81276d604a59b311fdd3cd;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Prepend jsonp callback with comment

Mitigate CVE-2014-4671 for unpatched flash players

Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15
---

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index e2c6b9ac94..6c5ad38e55 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -66,7 +66,9 @@ class ApiFormatJson extends ApiFormatBase {
 		$callback = $params['callback'];
 		if ( $callback !== null ) {
 			$callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback );
-			$this->printText( "$callback($json)" );
+			# Prepend a comment to try to avoid attacks against content
+			# sniffers, such as bug 68187.
+			$this->printText( "/**/$callback($json)" );
 		} else {
 			$this->printText( $json );
 		}
diff --git a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
index c71faec8e2..fc1f90217a 100644
--- a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
+++ b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
@@ -14,4 +14,9 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
 		$this->assertInternalType( 'array', json_decode( $data, true ) );
 		$this->assertGreaterThan( 0, count( (array)$data ) );
 	}
+
+	public function testJsonpInjection( ) {
+		$data = $this->apiRequest( 'json', array( 'action' => 'query', 'meta' => 'siteinfo', 'callback' => 'myCallback' ) );
+		$this->assertEquals( '/**/myCallback(', substr( $data, 0, 15 ) );
+	}
 }