summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2015-09-12 10:04:43 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2015-09-12 10:20:03 +0200
commit209b0b6edad0c18a2ea14eac83c6c4787264aa63 (patch)
treed849a9e09d18d5e5cc20e3374857b51acaefb05c
parentee9a8f232b960c5bfad7376f129710d19871edcc (diff)
downloadaur-209b0b6edad0c18a2ea14eac83c6c4787264aa63.tar.gz
aur-209b0b6edad0c18a2ea14eac83c6c4787264aa63.tar.xz
Mitigate JSONP callback vulnerabilities
The callback parameter of the RPC interface currently allows for specifying a prefix of arbitrary length of the returned result. This can be exploited by certain attacks. As a countermeasure, this patch restricts the allowed character set for the callback name to letters, digits, underscores, parenthesis and dots. It also limits the length of the name to 128 characters. Furthermore, the reflected callback name is now always prepended with "/**/", which is a common workaround to protect against attacks such as Rosetta Flash. Fixes FS#46259. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
-rw-r--r--web/lib/aurjson.class.php8
1 files changed, 6 insertions, 2 deletions
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index e102fed4..e646c636 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -110,9 +110,13 @@ class AurJSON {
return;
}
- if (isset($http_data['callback'])) {
+ $callback = $http_data['callback'];
+ if (isset($callback)) {
+ if (!preg_match('/^[a-zA-Z0-9().]{1,128}$/D', $callback)) {
+ return $this->json_error('Invalid callback name.');
+ }
header('content-type: text/javascript');
- return $http_data['callback'] . "({$json})";
+ return '/**/' . $callback . '(' . $json . ')';
} else {
header('content-type: application/json');
return $json;