diff options
| -rw-r--r-- | actionpack/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/renderers.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/mime/respond_to_test.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/render_json_test.rb | 2 |
4 files changed, 8 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 6abc0a8077..fb36396167 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 + ("Rosetta Flash") + + *Greg Campbell* + * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb index ae55e6d7f5..02c4e563f5 100644 --- a/actionpack/lib/action_controller/metal/renderers.rb +++ b/actionpack/lib/action_controller/metal/renderers.rb @@ -116,7 +116,7 @@ module ActionController self.content_type = Mime::JS end - "#{options[:callback]}(#{json})" + "/**/#{options[:callback]}(#{json})" else self.content_type ||= Mime::JSON json diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb index c89b95de3b..1bc7ad3015 100644 --- a/actionpack/test/controller/mime/respond_to_test.rb +++ b/actionpack/test/controller/mime/respond_to_test.rb @@ -520,7 +520,7 @@ class RespondToControllerTest < ActionController::TestCase def test_json_with_callback_sets_javascript_content_type @request.accept = 'application/json' get :json_with_callback - assert_equal 'alert(JS)', @response.body + assert_equal '/**/alert(JS)', @response.body assert_equal 'text/javascript', @response.content_type end diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb index de8d1cbd9b..ada978aa11 100644 --- a/actionpack/test/controller/render_json_test.rb +++ b/actionpack/test/controller/render_json_test.rb @@ -101,7 +101,7 @@ class RenderJsonTest < ActionController::TestCase def test_render_json_with_callback xhr :get, :render_json_hello_world_with_callback - assert_equal 'alert({"hello":"world"})', @response.body + assert_equal '/**/alert({"hello":"world"})', @response.body assert_equal 'text/javascript', @response.content_type end |