diff options
| author | Michael Merickel <michael@merickel.org> | 2015-04-26 18:50:25 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2015-04-26 18:50:25 -0500 |
| commit | ed4bba285591d4da0ff8b73ed0db7c374de82c9a (patch) | |
| tree | 08c11fd2d445fa986d244668ca93546232bacd4f | |
| parent | 43857c97c5c5cf437b31be013c6540ffc536d803 (diff) | |
| download | pyramid-ed4bba285591d4da0ff8b73ed0db7c374de82c9a.tar.gz pyramid-ed4bba285591d4da0ff8b73ed0db7c374de82c9a.tar.bz2 pyramid-ed4bba285591d4da0ff8b73ed0db7c374de82c9a.zip | |
allow dots in the jsonp callback and prefix content with a comment
The comment prefix should potential exploints from flash plugins (See
CVE-2014-4671 "Rosetta Flash").
| -rw-r--r-- | pyramid/renderers.py | 4 | ||||
| -rw-r--r-- | pyramid/tests/test_renderers.py | 12 |
2 files changed, 13 insertions, 3 deletions
diff --git a/pyramid/renderers.py b/pyramid/renderers.py index 42296bad1..456b16c82 100644 --- a/pyramid/renderers.py +++ b/pyramid/renderers.py @@ -308,7 +308,7 @@ class JSON(object): json_renderer_factory = JSON() # bw compat -JSONP_VALID_CALLBACK = re.compile(r"^[a-zA-Z_$][0-9a-zA-Z_$]+$") +JSONP_VALID_CALLBACK = re.compile(r"^[$a-z_][$0-9a-z_\.\[\]]+[^.]$", re.I) class JSONP(JSON): """ `JSONP <http://en.wikipedia.org/wiki/JSONP>`_ renderer factory helper @@ -396,7 +396,7 @@ class JSONP(JSON): raise HTTPBadRequest('Invalid JSONP callback function name.') ct = 'application/javascript' - body = '%s(%s);' % (callback, val) + body = '/**/{0}({1});'.format(callback, val) response = request.response if response.content_type == response.default_content_type: response.content_type = ct diff --git a/pyramid/tests/test_renderers.py b/pyramid/tests/test_renderers.py index 61a798ad1..2458ea830 100644 --- a/pyramid/tests/test_renderers.py +++ b/pyramid/tests/test_renderers.py @@ -669,7 +669,17 @@ class TestJSONP(unittest.TestCase): request = testing.DummyRequest() request.GET['callback'] = 'callback' result = renderer({'a':'1'}, {'request':request}) - self.assertEqual(result, 'callback({"a": "1"});') + self.assertEqual(result, '/**/callback({"a": "1"});') + self.assertEqual(request.response.content_type, + 'application/javascript') + + def test_render_to_jsonp_with_dot(self): + renderer_factory = self._makeOne() + renderer = renderer_factory(None) + request = testing.DummyRequest() + request.GET['callback'] = 'angular.callbacks._0' + result = renderer({'a':'1'}, {'request':request}) + self.assertEqual(result, '/**/angular.callbacks._0({"a": "1"});') self.assertEqual(request.response.content_type, 'application/javascript') |