Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb14b62c

Browse files
committed
Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.The change is done both for the PHP server as well as the Node.js-based version.This is only test code so we're not fixing any security issue but it happensoften enough that the whole jQuery repository directory structure is deployedonto the server with PHP enabled that it makes is easy to introduce securityissues if this cleanup is not done.Refgh-4764Closesgh-4871(cherry picked froma702746)
1 parent3642471 commitb14b62c

File tree

2 files changed

+21
-11
lines changed

2 files changed

+21
-11
lines changed

‎test/data/mock.php

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,12 @@
11
<?php
2+
23
/**
34
* Keep in sync with /test/middleware-mockserver.js
45
*/
6+
functioncleanCallback($callback ) {
7+
returnpreg_replace('/[^a-z0-9_]/i','',$callback );
8+
}
9+
510
class MockServer {
611
protectedfunctioncontentType($req ) {
712
$type =$req->query['contentType'];
@@ -87,17 +92,17 @@ protected function jsonp( $req ) {
8792
}else {
8893
$callback =$_POST['callback'];
8994
}
90-
if (isset($req->query['array'] ) ) {
91-
echo$callback .'([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
92-
}else {
93-
echo$callback .'({ "data": {"lang": "en", "length": 25} })';
94-
}
95+
$json =isset($req->query['array'] ) ?
96+
'[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
97+
'{ "data": { "lang": "en", "length": 25 } }';
98+
echocleanCallback($callback ) .'(' .$json .')';
9599
}
96100

97101
protectedfunctionxmlOverJsonp($req ) {
98102
$callback =$_REQUEST['callback'];
103+
$cleanCallback =cleanCallback($callback );
99104
$text =json_encode(file_get_contents(__DIR__ .'/with_fries.xml' ) );
100-
echo"$callback($text)\n";
105+
echo"$cleanCallback($text)\n";
101106
}
102107

103108
protectedfunctionerror($req ) {
@@ -223,7 +228,7 @@ protected function errorWithScript( $req ) {
223228
}
224229
if (isset($req->query['callback'] ) ) {
225230
$callback =$req->query['callback'];
226-
echo$callback .'( {"status": 404, "msg": "Not Found"} )';
231+
echocleanCallback($callback ) .'( {"status": 404, "msg": "Not Found"} )';
227232
}else {
228233
echo'QUnit.assert.ok( false, "Mock return erroneously executed" );';
229234
}

‎test/middleware-mockserver.js

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ var cspLog = "";
77
/**
88
* Keep in sync with /test/mock.php
99
*/
10+
functioncleanCallback(callback){
11+
returncallback.replace(/[^a-z0-9_]/gi,"");
12+
}
13+
1014
varmocks={
1115
contentType:function(req,resp){
1216
resp.writeHead(200,{
@@ -112,14 +116,14 @@ var mocks = {
112116
{data:{lang:"en",length:25}}
113117
);
114118
callback.then(function(cb){
115-
resp.end(cb+"("+json+")");
119+
resp.end(cleanCallback(cb)+"("+json+")");
116120
},next);
117121
},
118122
xmlOverJsonp:function(req,resp){
119123
varcallback=req.query.callback;
120124
varbody=fs.readFileSync(__dirname+"/data/with_fries.xml").toString();
121125
resp.writeHead(200);
122-
resp.end(callback+"("+JSON.stringify(body)+")\n");
126+
resp.end(cleanCallback(callback)+"("+JSON.stringify(body)+")\n");
123127
},
124128
error:function(req,resp){
125129
if(req.query.json){
@@ -233,10 +237,11 @@ var mocks = {
233237
if(req.query.withScriptContentType){
234238
resp.writeHead(404,{"Content-Type":"application/javascript"});
235239
}else{
236-
resp.writeHead(404);
240+
resp.writeHead(404,{"Content-Type":"text/html; charset=UTF-8"});
237241
}
238242
if(req.query.callback){
239-
resp.end(req.query.callback+"( {\"status\": 404, \"msg\": \"Not Found\"} )");
243+
resp.end(cleanCallback(req.query.callback)+
244+
"( {\"status\": 404, \"msg\": \"Not Found\"} )");
240245
}else{
241246
resp.end("QUnit.assert.ok( false, \"Mock return erroneously executed\" );");
242247
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp