Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: socketio/socket.io
...
head fork: racker/socket.io
compare: restrict_jsonp
Checking mergeability… Don’t worry, you can still create the pull request.
  • 2 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Showing with 6 additions and 4 deletions.
  1. +4 −3 lib/manager.js
  2. +2 −1  lib/transports/jsonp-polling.js
View
7 lib/manager.js
@@ -44,7 +44,8 @@ var defaultTransports = exports.defaultTransports = [
*/
var parent = module.parent.exports
- , protocol = parent.protocol;
+ , protocol = parent.protocol
+ , jsonpolling_re = /^\d+$/;
/**
* Manager constructor.
@@ -712,7 +713,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
};
function writeErr (status, message) {
- if (data.query.jsonp) {
+ if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
res.writeHead(200, { 'Content-Type': 'application/javascript' });
res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));');
} else {
@@ -751,7 +752,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
, self.transports(data).join(',')
].join(':');
- if (data.query.jsonp) {
+ if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
hs = 'io.j[' + data.query.jsonp + '](' + JSON.stringify(hs) + ');';
res.writeHead(200, { 'Content-Type': 'application/javascript' });
} else {
View
3  lib/transports/jsonp-polling.js
@@ -10,6 +10,7 @@
*/
var HTTPPolling = require('./http-polling');
+var jsonpolling_re = /^\d+$/
/**
* Export the constructor.
@@ -29,7 +30,7 @@ function JSONPPolling (mng, data, req) {
this.head = 'io.j[0](';
this.foot = ');';
- if (data.query.i) {
+ if (data.query.i && jsonpolling_re.test(data.query.i)) {
this.head = 'io.j[' + data.query.i + '](';
}
};

No commit comments for this range

Something went wrong with that request. Please try again.