Skip to content

Commit d41207c

Browse files
chris-allanknabar
authored andcommitted
Check that the JSONP callback is a valid function
1 parent e5f012b commit d41207c

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

Diff for: omeroweb/webgateway/views.py

+10
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,14 @@ def _safestr(s):
102102
return str(s).encode("utf-8")
103103

104104

105+
# Regular expression that represents the characters in ASCII that are
106+
# allowed in a valid JavaScript variable name. Function names adhere to
107+
# the same rules.
108+
# See:
109+
# https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names
110+
VALID_JS_VARIABLE = re.compile(r"^[a-zA-Z_$][0-9a-zA-Z_$]*$")
111+
112+
105113
class UserProxy(object):
106114
"""
107115
Represents the current user of the connection, with methods delegating to
@@ -1443,6 +1451,8 @@ def wrap(request, *args, **kwargs):
14431451
return rv
14441452
c = request.GET.get("callback", None)
14451453
if c is not None and not kwargs.get("_internal", False):
1454+
if not VALID_JS_VARIABLE.match(c):
1455+
return HttpResponseBadRequest("Invalid callback")
14461456
rv = json.dumps(rv)
14471457
rv = "%s(%s)" % (c, rv)
14481458
# mimetype for JSONP is application/javascript

0 commit comments

Comments
 (0)