From 4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6 Mon Sep 17 00:00:00 2001
From: Greg Campbell <gregc@twitter.com>
Date: Wed, 9 Jul 2014 11:33:09 -0700
Subject: Address CVE-2014-4671 (JSONP Flash exploit)

Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.
---
 actionpack/lib/action_controller/metal/renderers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/metal')

diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb
index ae55e6d7f5..02c4e563f5 100644
--- a/actionpack/lib/action_controller/metal/renderers.rb
+++ b/actionpack/lib/action_controller/metal/renderers.rb
@@ -116,7 +116,7 @@ module ActionController
           self.content_type = Mime::JS
         end
 
-        "#{options[:callback]}(#{json})"
+        "/**/#{options[:callback]}(#{json})"
       else
         self.content_type ||= Mime::JSON
         json
-- 
cgit v1.2.3