Permalink
Browse files

Merge branch 'rosetta_flash' of https://github.com/gcampbell/rails in…

…to gcampbell-rosetta_flash

* 'rosetta_flash' of https://github.com/gcampbell/rails:
  Address CVE-2014-4671 (JSONP Flash exploit)

Conflicts:
	actionpack/CHANGELOG.md
  • Loading branch information...
2 parents 6b6832e + 4003a5b commit 93fb4c1e62dc9605eecbfaffda2becc85890fa5f @tenderlove tenderlove committed Jul 10, 2014
View
@@ -1,3 +1,8 @@
+* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
+ ("Rosetta Flash")
+
+ *Greg Campbell*
+
* Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
@@ -116,7 +116,7 @@ module All
self.content_type = Mime::JS
end
- "#{options[:callback]}(#{json})"
+ "/**/#{options[:callback]}(#{json})"
else
self.content_type ||= Mime::JSON
json
@@ -520,7 +520,7 @@ def test_html_type_with_layout
def test_json_with_callback_sets_javascript_content_type
@request.accept = 'application/json'
get :json_with_callback
- assert_equal 'alert(JS)', @response.body
+ assert_equal '/**/alert(JS)', @response.body
assert_equal 'text/javascript', @response.content_type
end
@@ -101,7 +101,7 @@ def test_render_json_with_status
def test_render_json_with_callback
xhr :get, :render_json_hello_world_with_callback
- assert_equal 'alert({"hello":"world"})', @response.body
+ assert_equal '/**/alert({"hello":"world"})', @response.body
assert_equal 'text/javascript', @response.content_type
end

0 comments on commit 93fb4c1

Please sign in to comment.