Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) #11367
* Unless you are parsing the response string manually, which you really shouldn't do anyway
THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY
This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.
This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.
That issue (on a general basis) has already received public disclosure anyway thru various news organizations and blogs since July 8. Public disclosure of the issue with symfony at this point (even before the merge) is the best course of action so that people who are affected can manually merge (I am aware of the security mailing list). This isn't a symfony specific issue.
However this patch mitigates future attacks on the same vector.
I think setting such headers would be nice too.
referenced this pull request
Jul 11, 2014
Jul 15, 2014
added a commit
this pull request
Jul 15, 2014
@fabpot You are welcome.
And no, I don't think we need a Symfony specific CVE. This is a server-side mitigation measure to a client-side security issue. This is also why I didn't go thru the mailing list (again, nothing wrong with Symfony per-se).
However, since we can mitigate it, I summited this patch. On peut jamais être trop prudent...