SECURITY: Prepend jsonp callback with comment

Mitigate CVE-2014-4671 for unpatched flash players

Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index e2c6b9a..6c5ad38 100644 (file)
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -66,7 +66,9 @@ class ApiFormatJson extends ApiFormatBase {
                $callback = $params['callback'];
                if ( $callback !== null ) {
                        $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback );
-                       $this->printText( "$callback($json)" );
+                       # Prepend a comment to try to avoid attacks against content
+                       # sniffers, such as bug 68187.
+                       $this->printText( "/**/$callback($json)" );
                } else {
                        $this->printText( $json );
                }

diff --git a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
index c71faec..fc1f902 100644 (file)
--- a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
+++ b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
@@ -14,4 +14,9 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
                $this->assertInternalType( 'array', json_decode( $data, true ) );
                $this->assertGreaterThan( 0, count( (array)$data ) );
        }
+
+       public function testJsonpInjection( ) {
+               $data = $this->apiRequest( 'json', array( 'action' => 'query', 'meta' => 'siteinfo', 'callback' => 'myCallback' ) );
+               $this->assertEquals( '/**/myCallback(', substr( $data, 0, 15 ) );
+       }
 }