external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Mitigate JSONP callback vulnerabilities

Browse source 
The callback parameter of the RPC interface currently allows for
specifying a prefix of arbitrary length of the returned result. This can
be exploited by certain attacks.

As a countermeasure, this patch restricts the allowed character set for
the callback name to letters, digits, underscores, parenthesis and dots.
It also limits the length of the name to 128 characters. Furthermore,
the reflected callback name is now always prepended with "/**/", which
is a common workaround to protect against attacks such as Rosetta Flash.

Fixes FS#46259.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Lukas Fleischer 2015-09-12 10:04:43 +02:00
parent ee9a8f232b
commit 209b0b6eda
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
web/lib/aurjson.class.php
View file

@ -110,9 +110,13 @@ class AurJSON {
return; return;
} }
if (isset($http_data['callback'])) { $callback = $http_data['callback'];
if (isset($callback)) {
if (!preg_match('/^[a-zA-Z0-9().]{1,128}$/D', $callback)) {
return $this->json_error('Invalid callback name.');
}
header('content-type: text/javascript'); header('content-type: text/javascript');
return $http_data['callback'] . "({$json})"; return '/**/' . $callback . '(' . $json . ')';
} else { } else {
header('content-type: application/json'); header('content-type: application/json');
return $json; return $json;