Bug 1036213 - (CVE-2014-1546) add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability

r=glob,a=sgreen

Author: Simon Green

Bugzilla/WebService/Server/JSONRPC.pm

@@ -91,8 +91,9 @@ sub response {
     # Implement JSONP.
     if (my $callback = $self->_bz_callback) {
         my $content = $response->content;
-        $response->content("$callback($content)");
-
+        # Prepend the JSONP response with /**/ in order to protect
+        # against possible encoding attacks (e.g., affecting Flash).
+        $response->content("/**/$callback($content)");
     }
 
     # Use $cgi->header properly instead of just printing text directly.