diff options
| author | Michael Merickel <michael@merickel.org> | 2015-04-19 20:32:10 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2015-04-19 20:32:10 -0500 |
| commit | dfce4e0eb19afaa450421b54c917c59ba49cf7f1 (patch) | |
| tree | 16916f44562a5b7ed27c7dbe56907f608d077e59 | |
| parent | dddf33c6b9558fbfdb1bc048b6371e87ddc4388b (diff) | |
| parent | b6ffe51f16d2ea65f2313e99b24185f635a1bf64 (diff) | |
| download | pyramid-dfce4e0eb19afaa450421b54c917c59ba49cf7f1.tar.gz pyramid-dfce4e0eb19afaa450421b54c917c59ba49cf7f1.tar.bz2 pyramid-dfce4e0eb19afaa450421b54c917c59ba49cf7f1.zip | |
Merge pull request #1627 from bertjwregeer/security/jsonp
Add some validation for the JSONP callback
| -rw-r--r-- | pyramid/renderers.py | 9 | ||||
| -rw-r--r-- | pyramid/tests/test_renderers.py | 8 |
2 files changed, 17 insertions, 0 deletions
diff --git a/pyramid/renderers.py b/pyramid/renderers.py index de0b1d27f..42296bad1 100644 --- a/pyramid/renderers.py +++ b/pyramid/renderers.py @@ -1,6 +1,7 @@ import contextlib import json import os +import re from zope.interface import ( implementer, @@ -23,6 +24,8 @@ from pyramid.decorator import reify from pyramid.events import BeforeRender +from pyramid.httpexceptions import HTTPBadRequest + from pyramid.path import caller_package from pyramid.response import _get_response_factory @@ -305,6 +308,8 @@ class JSON(object): json_renderer_factory = JSON() # bw compat +JSONP_VALID_CALLBACK = re.compile(r"^[a-zA-Z_$][0-9a-zA-Z_$]+$") + class JSONP(JSON): """ `JSONP <http://en.wikipedia.org/wiki/JSONP>`_ renderer factory helper which implements a hybrid json/jsonp renderer. JSONP is useful for @@ -385,7 +390,11 @@ class JSONP(JSON): body = val if request is not None: callback = request.GET.get(self.param_name) + if callback is not None: + if not JSONP_VALID_CALLBACK.match(callback): + raise HTTPBadRequest('Invalid JSONP callback function name.') + ct = 'application/javascript' body = '%s(%s);' % (callback, val) response = request.response diff --git a/pyramid/tests/test_renderers.py b/pyramid/tests/test_renderers.py index 542eea9aa..61a798ad1 100644 --- a/pyramid/tests/test_renderers.py +++ b/pyramid/tests/test_renderers.py @@ -688,6 +688,14 @@ class TestJSONP(unittest.TestCase): result = renderer({'a':'1'}, {}) self.assertEqual(result, '{"a": "1"}') + def test_render_to_jsonp_invalid_callback(self): + from pyramid.httpexceptions import HTTPBadRequest + renderer_factory = self._makeOne() + renderer = renderer_factory(None) + request = testing.DummyRequest() + request.GET['callback'] = '78mycallback' + self.assertRaises(HTTPBadRequest, renderer, {'a':'1'}, {'request':request}) + class Dummy: pass |