NotificationsYou must be signed in to change notification settings
Fork20.6k
Star59.5k

Commita702746

authored

Tests: Strip untypical callback parameter characters from mock.php

Only allow alphanumeric characters & underscores for callback parameters.The change is done both for the PHP server as well as the Node.js-based version.This is only test code so we're not fixing any security issue but it happensoften enough that the whole jQuery repository directory structure is deployedonto the server with PHP enabled that it makes is easy to introduce securityissues if this cleanup is not done.Refgh-4764Closesgh-4871

1 parent50e8e84 commita702746Copy full SHA for a702746

File tree

2 files changed

+24

-13

lines changed

test
- data
  - mock.php
- middleware-mockserver.js

2 files changed

+24

-13

lines changed

`‎test/data/mock.php`

Lines changed: 14 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,12 @@`
`1`	`1`	`<?php`
	`2`	`+`
`2`	`3`	`/**`
`3`	`4`	`* Keep in sync with /test/middleware-mockserver.js`
`4`	`5`	`*/`
	`6`	`+functioncleanCallback($callback ) {`
	`7`	`+returnpreg_replace('/[^a-z0-9_]/i','',$callback );`
	`8`	`+}`
	`9`	`+`
`5`	`10`	`class MockServer {`
`6`	`11`	`protectedfunctioncontentType($req ) {`
`7`	`12`	`$type =$req->query['contentType'];`
`@@ -65,7 +70,8 @@ protected function script( $req ) {`
`65`	`70`	`array_values($req->headers )`
`66`	`71`	`);`
`67`	`72`
`68`		`-echo$req->query['callback'] ."(" .json_encode( ['headers' =>$headers ] ) .")";`
	`73`	`+echocleanCallback($req->query['callback'] ) .`
	`74`	`+"(" .json_encode( ['headers' =>$headers ] ) .")";`
`69`	`75`	`}else {`
`70`	`76`	`echo'QUnit.assert.ok( true, "mock executed" );';`
`71`	`77`	`}`
`@@ -105,17 +111,17 @@ protected function jsonp( $req ) {`
`105`	`111`	`}else {`
`106`	`112`	`$callback =$_POST['callback'];`
`107`	`113`	`}`
`108`		`-if (isset($req->query['array'] ) ) {`
`109`		`-echo$callback .'([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';`
`110`		`-}else {`
`111`		`-echo$callback .'({ "data": {"lang": "en", "length": 25} })';`
`112`		`-}`
	`114`	`+$json =isset($req->query['array'] ) ?`
	`115`	`+'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :`
	`116`	`+'{ "data": { "lang": "en", "length": 25 } }';`
	`117`	`+echocleanCallback($callback ) .'(' .$json .')';`
`113`	`118`	`}`
`114`	`119`
`115`	`120`	`protectedfunctionxmlOverJsonp($req ) {`
`116`	`121`	`$callback =$_REQUEST['callback'];`
	`122`	`+$cleanCallback =cleanCallback($callback );`
`117`	`123`	`$text =json_encode(file_get_contents(__DIR__ .'/with_fries.xml' ) );`
`118`		`-echo"$callback($text)\n";`
	`124`	`+echo"$cleanCallback($text)\n";`
`119`	`125`	`}`
`120`	`126`
`121`	`127`	`protectedfunctionerror($req ) {`
`@@ -243,7 +249,7 @@ protected function errorWithScript( $req ) {`
`243`	`249`	`}`
`244`	`250`	`if (isset($req->query['callback'] ) ) {`
`245`	`251`	`$callback =$req->query['callback'];`
`246`		`-echo$callback .'( {"status": 404, "msg": "Not Found"} )';`
	`252`	`+echocleanCallback($callback ) .'( {"status": 404, "msg": "Not Found"} )';`
`247`	`253`	`}else {`
`248`	`254`	`echo'QUnit.assert.ok( false, "Mock return erroneously executed" );';`
`249`	`255`	`}`

`‎test/middleware-mockserver.js`

Lines changed: 10 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,10 @@ var cspLog = "";`
`7`	`7`	`/**`
`8`	`8`	`* Keep in sync with /test/mock.php`
`9`	`9`	`*/`
	`10`	`+functioncleanCallback(callback){`
	`11`	`+returncallback.replace(/[^a-z0-9_]/gi,"");`
	`12`	`+}`
	`13`	`+`
`10`	`14`	`varmocks={`
`11`	`15`	`contentType:function(req,resp){`
`12`	`16`	`resp.writeHead(200,{`
`@@ -73,7 +77,7 @@ var mocks = {`
`73`	`77`	`}`
`74`	`78`
`75`	`79`	`if(req.query.callback){`
`76`		`-resp.end(req.query.callback+"("+JSON.stringify({`
	`80`	`+resp.end(cleanCallback(req.query.callback)+"("+JSON.stringify({`
`77`	`81`	`headers:req.headers`
`78`	`82`	`})+")");`
`79`	`83`	`}else{`
`@@ -126,14 +130,14 @@ var mocks = {`
`126`	`130`	`{data:{lang:"en",length:25}}`
`127`	`131`	`);`
`128`	`132`	`callback.then(function(cb){`
`129`		`-resp.end(cb+"("+json+")");`
	`133`	`+resp.end(cleanCallback(cb)+"("+json+")");`
`130`	`134`	`},next);`
`131`	`135`	`},`
`132`	`136`	`xmlOverJsonp:function(req,resp){`
`133`	`137`	`varcallback=req.query.callback;`
`134`	`138`	`varbody=fs.readFileSync(__dirname+"/data/with_fries.xml").toString();`
`135`	`139`	`resp.writeHead(200);`
`136`		`-resp.end(callback+"("+JSON.stringify(body)+")\n");`
	`140`	`+resp.end(cleanCallback(callback)+"("+JSON.stringify(body)+")\n");`
`137`	`141`	`},`
`138`	`142`	`error:function(req,resp){`
`139`	`143`	`if(req.query.json){`
`@@ -256,10 +260,11 @@ var mocks = {`
`256`	`260`	`if(req.query.withScriptContentType){`
`257`	`261`	`resp.writeHead(404,{"Content-Type":"application/javascript"});`
`258`	`262`	`}else{`
`259`		`-resp.writeHead(404);`
	`263`	`+resp.writeHead(404,{"Content-Type":"text/html; charset=UTF-8"});`
`260`	`264`	`}`
`261`	`265`	`if(req.query.callback){`
`262`		`-resp.end(req.query.callback+"( {\"status\": 404, \"msg\": \"Not Found\"} )");`
	`266`	`+resp.end(cleanCallback(req.query.callback)+`
	`267`	`+"( {\"status\": 404, \"msg\": \"Not Found\"} )");`
`263`	`268`	`}else{`
`264`	`269`	`resp.end("QUnit.assert.ok( false, \"Mock return erroneously executed\" );");`
`265`	`270`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita702746

File tree

2 files changed

2 files changed

`‎test/data/mock.php`

`‎test/middleware-mockserver.js`

0 commit comments