Commit ac5bf59b authored by Simon Green's avatar Simon Green Committed by David Lawrence

Bug 1036213 - (CVE-2014-1546) add '/**/' before jsonrpc.cgi callback to avoid…

Bug 1036213 - (CVE-2014-1546) add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability r=glob,a=sgreen
parent 5d245202
...@@ -77,8 +77,9 @@ sub response { ...@@ -77,8 +77,9 @@ sub response {
# Implement JSONP. # Implement JSONP.
if (my $callback = $self->_bz_callback) { if (my $callback = $self->_bz_callback) {
my $content = $response->content; my $content = $response->content;
$response->content("$callback($content)"); # Prepend the JSONP response with /**/ in order to protect
# against possible encoding attacks (e.g., affecting Flash).
$response->content("/**/$callback($content)");
} }
# Use $cgi->header properly instead of just printing text directly. # Use $cgi->header properly instead of just printing text directly.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment