Bug 1036213 - (CVE-2014-1546) add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability

r=glob,a=sgreen
author: Reed Loden <reed@reedloden.com> 2014-07-24 19:37:40 +0200
committer: David Lawrence <dkl@mozilla.com> 2014-07-24 19:37:40 +0200
commit: 02ce906f56b0c127136fbdb7eaeef4012168a990 (patch)
tree: 618632cc7fd881f48fb4cb203700f6a2ab59bc2c /Bugzilla/WebService/Server
parent: cf3e8bc724148ac85f838b35b0b0bd72fa5f349f (diff)
download: bugzilla-02ce906f56b0c127136fbdb7eaeef4012168a990.tar.gz
bugzilla-02ce906f56b0c127136fbdb7eaeef4012168a990.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 5290caa5d..177e2618d 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -80,7 +80,9 @@ sub response {
     # Implement JSONP.
     if (my $callback = $self->_bz_callback) {
         my $content = $response->content;
-        $response->content("$callback($content)");
+        # Prepend the JSONP response with /**/ in order to protect
+        # against possible encoding attacks (e.g., affecting Flash).
+        $response->content("/**/$callback($content)");
     }
 
     # Use $cgi->header properly instead of just printing text directly.
author	Reed Loden <reed@reedloden.com>	2014-07-24 19:37:40 +0200
committer	David Lawrence <dkl@mozilla.com>	2014-07-24 19:37:40 +0200
commit	02ce906f56b0c127136fbdb7eaeef4012168a990 (patch)
tree	618632cc7fd881f48fb4cb203700f6a2ab59bc2c /Bugzilla/WebService/Server
parent	cf3e8bc724148ac85f838b35b0b0bd72fa5f349f (diff)
download	bugzilla-02ce906f56b0c127136fbdb7eaeef4012168a990.tar.gz bugzilla-02ce906f56b0c127136fbdb7eaeef4012168a990.tar.xz