Merge pull request #807 from willdurand/jsonp-rosetta

Mitigate CSRF bypassing Same Origin Policy attack

Resources/doc/2-the-view-layer.md

@@ -304,6 +304,15 @@ fos_rest:
             callback_param:       false
 ```
 
+When working with JSONP, be aware of
+[CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671)
+(full explanation can be found here: [Abusing JSONP with Rosetta
+Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)). You
+SHOULD use
+[NelmioSecurityBundle](https://github.com/nelmio/NelmioSecurityBundle) and
+[disable the content type sniffing for script
+resources](https://github.com/nelmio/NelmioSecurityBundle#content-type-sniffing).
+
 #### CSRF validation
 
 When building a single application that should handle forms both via HTML forms as well

Tests/View/JsonpHandlerTest.php

@@ -62,7 +62,7 @@ public function testHandle($query)
 
         $response = $viewHandler->handle($view, $request);
 
-        $this->assertEquals(reset($query).'('.var_export($data, true).')', $response->getContent());
+        $this->assertEquals('/**/'.reset($query).'('.var_export($data, true).')', $response->getContent());
     }
 
     public static function handleDataProvider()

View/JsonpHandler.php

@@ -57,7 +57,7 @@ public function createResponse(ViewHandler $handler, View $view, Request $reques
 
         if ($response->isSuccessful()) {
             $callback = $this->getCallback($request);
-            $response->setContent($callback.'('.$response->getContent().')');
+            $response->setContent(sprintf('/**/%s(%s)', $callback, $response->getContent()));
             $response->headers->set('Content-Type', $request->getMimeType($format));
         }