[aur-dev] [PATCH] Mitigate JSONP callback vulnerabilities
Lukas Fleischer
lfleischer at archlinux.org
Sat Sep 12 08:20:59 UTC 2015
The callback parameter of the RPC interface currently allows for
specifying a prefix of arbitrary length of the returned result. This can
be exploited by certain attacks.
As a countermeasure, this patch restricts the allowed character set for
the callback name to letters, digits, underscores, parenthesis and dots.
It also limits the length of the name to 128 characters. Furthermore,
the reflected callback name is now always prepended with "/**/", which
is a common workaround to protect against attacks such as Rosetta Flash.
Fixes FS#46259.
Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
web/lib/aurjson.class.php | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index e102fed..e646c63 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -110,9 +110,13 @@ class AurJSON {
return;
}
- if (isset($http_data['callback'])) {
+ $callback = $http_data['callback'];
+ if (isset($callback)) {
+ if (!preg_match('/^[a-zA-Z0-9().]{1,128}$/D', $callback)) {
+ return $this->json_error('Invalid callback name.');
+ }
header('content-type: text/javascript');
- return $http_data['callback'] . "({$json})";
+ return '/**/' . $callback . '(' . $json . ')';
} else {
header('content-type: application/json');
return $json;
--
2.5.1
More information about the aur-dev
mailing list