Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

bugfix: the callback argument value parser did not accept JS identifi…

…er names started with underscores. thanks Sam Mulube.
  • Loading branch information...
commit 769ce1c96d6cc9beb3088fdf4983574b89cb93a9 1 parent fb5ea7e
@agentzh agentzh authored
View
1  .gitignore
@@ -52,3 +52,4 @@ src/util.c
src/util.rl
all
t/servroot/
+buildroot/
View
8 src/ngx_http_xss_util.c
@@ -40,8 +40,10 @@ ngx_int_t ngx_http_xss_test_callback(char *data, size_t len)
if ( ++p == pe )
goto _test_eof1;
case 1:
- if ( (*p) == 36 )
- goto st6;
+ switch( (*p) ) {
+ case 36: goto st6;
+ case 95: goto st6;
+ }
if ( (*p) > 90 ) {
if ( 97 <= (*p) && (*p) <= 122 )
goto st6;
@@ -128,7 +130,7 @@ case 5:
if (cs <
-#line 132 "src/ngx_http_xss_util.c"
+#line 134 "src/ngx_http_xss_util.c"
6
#line 29 "src/ngx_http_xss_util.rl"
|| p != pe) {
View
2  src/ngx_http_xss_util.rl
@@ -13,7 +13,7 @@ ngx_int_t ngx_http_xss_test_callback(char *data, size_t len)
int cs;
%%{
- identifier = [$A-Za-z] [$A-Za-z0-9_]*;
+ identifier = [$A-Za-z_] [$A-Za-z0-9_]*;
index = [0-9]* '.' [0-9]+
| [0-9]+
View
18 t/sanity.t
@@ -261,3 +261,21 @@ blah(hello);
--- response_headers
Content-Type: application/x-javascript
+
+=== TEST 4: bug: keys started by underscore
+--- config
+ location /foo {
+ default_type 'application/json';
+ xss_get on;
+ xss_callback_arg _callback;
+ echo '[]';
+ }
+--- request
+GET /foo?_callback=foo._bar
+--- response_headers_like
+Content-Type: application/x-javascript
+--- response_body chop
+foo._bar([]
+);
+
+
Please sign in to comment.
Something went wrong with that request. Please try again.