From b14b62c8a28af396e20e7234086926f393dd314a Mon Sep 17 00:00:00 2001 From: Michał Gołębiowski-Owczarek Date: Tue, 13 Apr 2021 22:13:48 +0200 Subject: Tests: Strip untypical callback parameter characters from mock.php Only allow alphanumeric characters & underscores for callback parameters. The change is done both for the PHP server as well as the Node.js-based version. This is only test code so we're not fixing any security issue but it happens often enough that the whole jQuery repository directory structure is deployed onto the server with PHP enabled that it makes is easy to introduce security issues if this cleanup is not done. Ref gh-4764 Closes gh-4871 (cherry picked from a70274632dc19ff4a64d7bb7657a2cc647ff38b9) --- test/data/mock.php | 19 ++++++++++++------- test/middleware-mockserver.js | 13 +++++++++---- 2 files changed, 21 insertions(+), 11 deletions(-) (limited to 'test') diff --git a/test/data/mock.php b/test/data/mock.php index 5b56d02c7..ca7a98572 100644 --- a/test/data/mock.php +++ b/test/data/mock.php @@ -1,7 +1,12 @@ query['contentType']; @@ -87,17 +92,17 @@ QUnit.assert.ok( true, "mock executed");'; } else { $callback = $_POST['callback']; } - if ( isset( $req->query['array'] ) ) { - echo $callback . '([ {"name": "John", "age": 21}, {"name": "Peter", "age": 25 } ])'; - } else { - echo $callback . '({ "data": {"lang": "en", "length": 25} })'; - } + $json = isset( $req->query['array'] ) ? + '[ { "name": "John", "age": 21 }, { "name": "Peter", "age": 25 } ]' : + '{ "data": { "lang": "en", "length": 25 } }'; + echo cleanCallback( $callback ) . '(' . $json . ')'; } protected function xmlOverJsonp( $req ) { $callback = $_REQUEST['callback']; + $cleanCallback = cleanCallback( $callback ); $text = json_encode( file_get_contents( __DIR__ . '/with_fries.xml' ) ); - echo "$callback($text)\n"; + echo "$cleanCallback($text)\n"; } protected function error( $req ) { @@ -223,7 +228,7 @@ QUnit.assert.ok( true, "mock executed");'; } if ( isset( $req->query['callback'] ) ) { $callback = $req->query['callback']; - echo $callback . '( {"status": 404, "msg": "Not Found"} )'; + echo cleanCallback( $callback ) . '( {"status": 404, "msg": "Not Found"} )'; } else { echo 'QUnit.assert.ok( false, "Mock return erroneously executed" );'; } diff --git a/test/middleware-mockserver.js b/test/middleware-mockserver.js index 36216ecc1..da041c25e 100644 --- a/test/middleware-mockserver.js +++ b/test/middleware-mockserver.js @@ -7,6 +7,10 @@ var cspLog = ""; /** * Keep in sync with /test/mock.php */ +function cleanCallback( callback ) { + return callback.replace( /[^a-z0-9_]/gi, "" ); +} + var mocks = { contentType: function( req, resp ) { resp.writeHead( 200, { @@ -112,14 +116,14 @@ var mocks = { { data: { lang: "en", length: 25 } } ); callback.then( function( cb ) { - resp.end( cb + "(" + json + ")" ); + resp.end( cleanCallback( cb ) + "(" + json + ")" ); }, next ); }, xmlOverJsonp: function( req, resp ) { var callback = req.query.callback; var body = fs.readFileSync( __dirname + "/data/with_fries.xml" ).toString(); resp.writeHead( 200 ); - resp.end( callback + "(" + JSON.stringify( body ) + ")\n" ); + resp.end( cleanCallback( callback ) + "(" + JSON.stringify( body ) + ")\n" ); }, error: function( req, resp ) { if ( req.query.json ) { @@ -233,10 +237,11 @@ var mocks = { if ( req.query.withScriptContentType ) { resp.writeHead( 404, { "Content-Type": "application/javascript" } ); } else { - resp.writeHead( 404 ); + resp.writeHead( 404, { "Content-Type": "text/html; charset=UTF-8" } ); } if ( req.query.callback ) { - resp.end( req.query.callback + "( {\"status\": 404, \"msg\": \"Not Found\"} )" ); + resp.end( cleanCallback( req.query.callback ) + + "( {\"status\": 404, \"msg\": \"Not Found\"} )" ); } else { resp.end( "QUnit.assert.ok( false, \"Mock return erroneously executed\" );" ); } -- cgit v1.2.3