From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 26 Jan 2013 18:37:09 +0000 (+0000)
Subject: Make JSONP support optional and disabled by default (#12992).
X-Git-Tag: 2.3.0~231
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9f127793be20c1e23f31c66b5efd4a0acaea2642;p=redmine.git

Make JSONP support optional and disabled by default (#12992).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11272 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/views/settings/_authentication.html.erb b/app/views/settings/_authentication.html.erb
index bba896497..d190fab66 100644
--- a/app/views/settings/_authentication.html.erb
+++ b/app/views/settings/_authentication.html.erb
@@ -19,6 +19,8 @@
 <p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p>
 
 <p><%= setting_check_box :rest_api_enabled %></p>
+
+<p><%= setting_check_box :jsonp_enabled %></p>
 </div>
 
 <fieldset class="box">
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 9dac5ed2a..05ec1d32f 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -397,6 +397,7 @@ en:
   setting_thumbnails_enabled: Display attachment thumbnails
   setting_thumbnails_size: Thumbnails size (in pixels)
   setting_non_working_week_days: Non-working days
+  setting_jsonp_enabled: Enable JSONP support
 
   permission_add_project: Create project
   permission_add_subprojects: Create subprojects
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index db6220e00..f39943472 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -394,6 +394,7 @@ fr:
   setting_thumbnails_enabled: Afficher les vignettes des images
   setting_thumbnails_size: Taille des vignettes (en pixels)
   setting_non_working_week_days: Jours non travaillés
+  setting_jsonp_enabled: Activer le support JSONP
 
   permission_add_project: Créer un projet
   permission_add_subprojects: Créer des sous-projets
diff --git a/config/settings.yml b/config/settings.yml
index 6f3cfa7e5..c538334fb 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -211,6 +211,8 @@ start_of_week:
   default: ''
 rest_api_enabled:
   default: 0
+jsonp_enabled:
+  default: 0
 default_notification_option:
   default: 'only_my_events'
 emails_header:
diff --git a/lib/redmine/views/builders/json.rb b/lib/redmine/views/builders/json.rb
index b55e952e7..feae6de53 100644
--- a/lib/redmine/views/builders/json.rb
+++ b/lib/redmine/views/builders/json.rb
@@ -25,7 +25,10 @@ module Redmine
 
         def initialize(request, response)
           super
-          self.jsonp = (request.params[:callback] || request.params[:jsonp]).to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          callback = request.params[:callback] || request.params[:jsonp]
+          if callback && Setting.jsonp_enabled?
+            self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          end
         end
 
         def output
diff --git a/test/integration/api_test/jsonp_test.rb b/test/integration/api_test/jsonp_test.rb
index 3007a2db8..df3be427c 100644
--- a/test/integration/api_test/jsonp_test.rb
+++ b/test/integration/api_test/jsonp_test.rb
@@ -20,8 +20,20 @@ require File.expand_path('../../../test_helper', __FILE__)
 class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   fixtures :trackers
 
+  def test_should_ignore_jsonp_callback_with_jsonp_disabled
+    with_settings :jsonp_enabled => '0' do
+      get '/trackers.json?jsonp=handler'
+    end
+
+    assert_response :success
+    assert_match %r{^\{"trackers":.+\}$}, response.body
+    assert_equal 'application/json; charset=utf-8', response.headers['Content-Type']
+  end
+
   def test_jsonp_should_accept_callback_param
-    get '/trackers.json?callback=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=handler'
+    end
 
     assert_response :success
     assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -29,7 +41,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_should_accept_jsonp_param
-    get '/trackers.json?jsonp=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?jsonp=handler'
+    end
 
     assert_response :success
     assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -37,7 +51,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_should_strip_invalid_characters_from_callback
-    get '/trackers.json?callback=+-aA$1_'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=+-aA$1_'
+    end
 
     assert_response :success
     assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body
@@ -45,7 +61,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_without_callback_should_return_json
-    get '/trackers.json?callback='
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback='
+    end
 
     assert_response :success
     assert_match %r{^\{"trackers":.+\}$}, response.body