diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2014-07-10 10:20:25 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2014-07-10 10:20:25 -0700 |
| commit | 6e76031e8f1f815b390f966cb21e25c66e5ded50 (patch) | |
| tree | d614c3eed3fc10a3d77c2a9fd95f684a76e20d77 | |
| parent | 6b6832eeeb43c5f2553373f84677350ba654346a (diff) | |
| parent | 93fb4c1e62dc9605eecbfaffda2becc85890fa5f (diff) | |
| download | rails-6e76031e8f1f815b390f966cb21e25c66e5ded50.tar.gz rails-6e76031e8f1f815b390f966cb21e25c66e5ded50.tar.bz2 rails-6e76031e8f1f815b390f966cb21e25c66e5ded50.zip | |
* gcampbell-rosetta_flash:
Address CVE-2014-4671 (JSONP Flash exploit)
| -rw-r--r-- | actionpack/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/renderers.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/mime/respond_to_test.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/render_json_test.rb | 2 |
4 files changed, 8 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 6abc0a8077..fb36396167 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 + ("Rosetta Flash") + + *Greg Campbell* + * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb index ae55e6d7f5..02c4e563f5 100644 --- a/actionpack/lib/action_controller/metal/renderers.rb +++ b/actionpack/lib/action_controller/metal/renderers.rb @@ -116,7 +116,7 @@ module ActionController self.content_type = Mime::JS end - "#{options[:callback]}(#{json})" + "/**/#{options[:callback]}(#{json})" else self.content_type ||= Mime::JSON json diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb index c89b95de3b..1bc7ad3015 100644 --- a/actionpack/test/controller/mime/respond_to_test.rb +++ b/actionpack/test/controller/mime/respond_to_test.rb @@ -520,7 +520,7 @@ class RespondToControllerTest < ActionController::TestCase def test_json_with_callback_sets_javascript_content_type @request.accept = 'application/json' get :json_with_callback - assert_equal 'alert(JS)', @response.body + assert_equal '/**/alert(JS)', @response.body assert_equal 'text/javascript', @response.content_type end diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb index de8d1cbd9b..ada978aa11 100644 --- a/actionpack/test/controller/render_json_test.rb +++ b/actionpack/test/controller/render_json_test.rb @@ -101,7 +101,7 @@ class RenderJsonTest < ActionController::TestCase def test_render_json_with_callback xhr :get, :render_json_hello_world_with_callback - assert_equal 'alert({"hello":"world"})', @response.body + assert_equal '/**/alert({"hello":"world"})', @response.body assert_equal 'text/javascript', @response.content_type end |