summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2014-07-09 08:37:29 +0200
committerByron Jones <glob@mozilla.com>2014-07-09 08:37:29 +0200
commit4c9f4e703dd840d58d7d2f6a4cd34ea72d891c9e (patch)
treee8469bfa44091409f5bb23198e6845dc8dba0a6e /Bugzilla
parentfce9ee9c0eee843140bf09511b574f65d00e24f6 (diff)
downloadbugzilla-4c9f4e703dd840d58d7d2f6a4cd34ea72d891c9e.tar.gz
bugzilla-4c9f4e703dd840d58d7d2f6a4cd34ea72d891c9e.tar.xz
Bug 1036213: fix jsonrpc.cgi callback
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm4
1 files changed, 3 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 109c530b7..0df4240e0 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -92,7 +92,9 @@ sub response {
# Implement JSONP.
if (my $callback = $self->_bz_callback) {
my $content = $response->content;
- $response->content("$callback($content)");
+ # Prepend the JSONP response with /**/ in order to protect
+ # against possible encoding attacks (e.g., affecting Flash).
+ $response->content("/**/$callback($content)");
}
# Use $cgi->header properly instead of just printing text directly.