Tests: Strip untypical callback parameter characters from mock.php

Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.

Ref gh-4764
Closes gh-4871

(cherry picked from a70274632dc19ff4a64d7bb7657a2cc647ff38b9)

diff --git a/test/data/mock.php b/test/data/mock.php
index 5b56d02c7e0740caf5c4535e1c1a6e1c2cd5ecb5..ca7a98572c088f4f2a898777d4be96c2cdb3aebc 100644 (file)
--- a/test/data/mock.php
+++ b/test/data/mock.php
@@ -1,7 +1,12 @@
 <?php
+
 /**
  * Keep in sync with /test/middleware-mockserver.js
  */
+function cleanCallback( $callback ) {
+       return preg_replace( '/[^a-z0-9_]/i', '', $callback );
+}
+
 class MockServer {
        protected function contentType( $req ) {
                $type = $req->query['contentType'];
@@ -87,17 +92,17 @@ QUnit.assert.ok( true, "mock executed");';
                } else {
                        $callback = $_POST['callback'];
                }
-               if ( isset( $req->query['array'] ) ) {
-                       echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])';
-               } else {
-                       echo $callback . '({ "data": {"lang": "en", "length": 25} })';
-               }
+               $json = isset( $req->query['array'] ) ?
+                       '[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' :
+                       '{ "data": { "lang": "en", "length": 25 } }';
+               echo cleanCallback( $callback ) . '(' . $json . ')';
        }
 
        protected function xmlOverJsonp( $req ) {
                $callback = $_REQUEST['callback'];
+               $cleanCallback = cleanCallback( $callback );
                $text = json_encode( file_get_contents( __DIR__ . '/with_fries.xml' ) );
-               echo "$callback($text)\n";
+               echo "$cleanCallback($text)\n";
        }
 
        protected function error( $req ) {
@@ -223,7 +228,7 @@ QUnit.assert.ok( true, "mock executed");';
                }
                if ( isset( $req->query['callback'] ) ) {
                        $callback = $req->query['callback'];
-                       echo $callback . '( {"status": 404, "msg": "Not Found"} )';
+                       echo cleanCallback( $callback ) . '( {"status": 404, "msg": "Not Found"} )';
                } else {
                        echo 'QUnit.assert.ok( false, "Mock return erroneously executed" );';
                }

diff --git a/test/middleware-mockserver.js b/test/middleware-mockserver.js
index 36216ecc195795f151d2d44b76bcb3d7270ac2b5..da041c25e6ea3e71466d5969400da3edde9e5aeb 100644 (file)
--- a/test/middleware-mockserver.js
+++ b/test/middleware-mockserver.js
@@ -7,6 +7,10 @@ var cspLog = "";
 /**
  * Keep in sync with /test/mock.php
  */
+function cleanCallback( callback ) {
+       return callback.replace( /[^a-z0-9_]/gi, "" );
+}
+
 var mocks = {
        contentType: function( req, resp ) {
                resp.writeHead( 200, {
@@ -112,14 +116,14 @@ var mocks = {
                                { data: { lang: "en", length: 25 } }
                        );
                callback.then( function( cb ) {
-                       resp.end( cb + "(" + json + ")" );
+                       resp.end( cleanCallback( cb ) + "(" + json + ")" );
                }, next );
        },
        xmlOverJsonp: function( req, resp ) {
                var callback = req.query.callback;
                var body = fs.readFileSync( __dirname + "/data/with_fries.xml" ).toString();
                resp.writeHead( 200 );
-               resp.end( callback + "(" + JSON.stringify( body ) + ")\n" );
+               resp.end( cleanCallback( callback ) + "(" + JSON.stringify( body ) + ")\n" );
        },
        error: function( req, resp ) {
                if ( req.query.json ) {
@@ -233,10 +237,11 @@ var mocks = {
                if ( req.query.withScriptContentType ) {
                        resp.writeHead( 404, { "Content-Type": "application/javascript" } );
                } else {
-                       resp.writeHead( 404 );
+                       resp.writeHead( 404, { "Content-Type": "text/html; charset=UTF-8" } );
                }
                if ( req.query.callback ) {
-                       resp.end( req.query.callback + "( {\"status\": 404, \"msg\": \"Not Found\"} )" );
+                       resp.end( cleanCallback( req.query.callback ) +
+                               "( {\"status\": 404, \"msg\": \"Not Found\"} )" );
                } else {
                        resp.end( "QUnit.assert.ok( false, \"Mock return erroneously executed\" );" );
                }