Skip to content

Commit a702746

Browse files
mgolmgol
authored
Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters. The change is done both for the PHP server as well as the Node.js-based version. This is only test code so we're not fixing any security issue but it happens often enough that the whole jQuery repository directory structure is deployed onto the server with PHP enabled that it makes is easy to introduce security issues if this cleanup is not done. Ref gh-4764 Closes gh-4871
1 parent 50e8e84 commit a702746

File tree

2 files changed

+24
-13
lines changed

2 files changed

+24
-13
lines changed

test/data/mock.php

+14-8
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,12 @@
11
<?php
2+
23
/**
34
* Keep in sync with /test/middleware-mockserver.js
45
*/
6+
function cleanCallback( $callback ) {
7+
return preg_replace( '/[^a-z0-9_]/i', '', $callback );
8+
}
9+
510
class MockServer {
611
protected function contentType( $req ) {
712
$type = $req->query['contentType'];
@@ -65,7 +70,8 @@ protected function script( $req ) {
6570
array_values( $req->headers )
6671
);
6772

68-
echo $req->query['callback'] . "(" . json_encode( [ 'headers' => $headers ] ) . ")";
73+
echo cleanCallback( $req->query['callback'] ) .
74+
"(" . json_encode( [ 'headers' => $headers ] ) . ")";
6975
} else {
7076
echo 'QUnit.assert.ok( true, "mock executed" );';
7177
}
@@ -105,17 +111,17 @@ protected function jsonp( $req ) {
105111
} else {
106112
$callback = $_POST['callback'];
107113
}
108-
if ( isset( $req->query['array'] ) ) {
109-
echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
110-
} else {
111-
echo $callback . '({ "data": {"lang": "en", "length": 25} })';
112-
}
114+
$json = isset( $req->query['array'] ) ?
115+
'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
116+
'{ "data": { "lang": "en", "length": 25 } }';
117+
echo cleanCallback( $callback ) . '(' . $json . ')';
113118
}
114119

115120
protected function xmlOverJsonp( $req ) {
116121
$callback = $_REQUEST['callback'];
122+
$cleanCallback = cleanCallback( $callback );
117123
$text = json_encode( file_get_contents( __DIR__ . '/with_fries.xml' ) );
118-
echo "$callback($text)\n";
124+
echo "$cleanCallback($text)\n";
119125
}
120126

121127
protected function error( $req ) {
@@ -243,7 +249,7 @@ protected function errorWithScript( $req ) {
243249
}
244250
if ( isset( $req->query['callback'] ) ) {
245251
$callback = $req->query['callback'];
246-
echo $callback . '( {"status": 404, "msg": "Not Found"} )';
252+
echo cleanCallback( $callback ) . '( {"status": 404, "msg": "Not Found"} )';
247253
} else {
248254
echo 'QUnit.assert.ok( false, "Mock return erroneously executed" );';
249255
}

test/middleware-mockserver.js

+10-5
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ var cspLog = "";
77
/**
88
* Keep in sync with /test/mock.php
99
*/
10+
function cleanCallback( callback ) {
11+
return callback.replace( /[^a-z0-9_]/gi, "" );
12+
}
13+
1014
var mocks = {
1115
contentType: function( req, resp ) {
1216
resp.writeHead( 200, {
@@ -73,7 +77,7 @@ var mocks = {
7377
}
7478

7579
if ( req.query.callback ) {
76-
resp.end( req.query.callback + "(" + JSON.stringify( {
80+
resp.end( cleanCallback( req.query.callback ) + "(" + JSON.stringify( {
7781
headers: req.headers
7882
} ) + ")" );
7983
} else {
@@ -126,14 +130,14 @@ var mocks = {
126130
{ data: { lang: "en", length: 25 } }
127131
);
128132
callback.then( function( cb ) {
129-
resp.end( cb + "(" + json + ")" );
133+
resp.end( cleanCallback( cb ) + "(" + json + ")" );
130134
}, next );
131135
},
132136
xmlOverJsonp: function( req, resp ) {
133137
var callback = req.query.callback;
134138
var body = fs.readFileSync( __dirname + "/data/with_fries.xml" ).toString();
135139
resp.writeHead( 200 );
136-
resp.end( callback + "(" + JSON.stringify( body ) + ")\n" );
140+
resp.end( cleanCallback( callback ) + "(" + JSON.stringify( body ) + ")\n" );
137141
},
138142
error: function( req, resp ) {
139143
if ( req.query.json ) {
@@ -256,10 +260,11 @@ var mocks = {
256260
if ( req.query.withScriptContentType ) {
257261
resp.writeHead( 404, { "Content-Type": "application/javascript" } );
258262
} else {
259-
resp.writeHead( 404 );
263+
resp.writeHead( 404, { "Content-Type": "text/html; charset=UTF-8" } );
260264
}
261265
if ( req.query.callback ) {
262-
resp.end( req.query.callback + "( {\"status\": 404, \"msg\": \"Not Found\"} )" );
266+
resp.end( cleanCallback( req.query.callback ) +
267+
"( {\"status\": 404, \"msg\": \"Not Found\"} )" );
263268
} else {
264269
resp.end( "QUnit.assert.ok( false, \"Mock return erroneously executed\" );" );
265270
}

0 commit comments

Comments
 (0)