[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
This commit is contained in:
parent
ca69dbba43
commit
6af3d05b85
@ -111,7 +111,7 @@ class JsonResponse extends Response
|
|||||||
// Not using application/javascript for compatibility reasons with older browsers.
|
// Not using application/javascript for compatibility reasons with older browsers.
|
||||||
$this->headers->set('Content-Type', 'text/javascript');
|
$this->headers->set('Content-Type', 'text/javascript');
|
||||||
|
|
||||||
return $this->setContent(sprintf('%s(%s);', $this->callback, $this->data));
|
return $this->setContent(sprintf('/**/%s(%s);', $this->callback, $this->data));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Only set the header when there is none or when it equals 'text/javascript' (from a previous update with callback)
|
// Only set the header when there is none or when it equals 'text/javascript' (from a previous update with callback)
|
||||||
|
@ -155,7 +155,7 @@ class JsonResponseTest extends \PHPUnit_Framework_TestCase
|
|||||||
{
|
{
|
||||||
$response = JsonResponse::create(array('foo' => 'bar'))->setCallback('callback');
|
$response = JsonResponse::create(array('foo' => 'bar'))->setCallback('callback');
|
||||||
|
|
||||||
$this->assertEquals('callback({"foo":"bar"});', $response->getContent());
|
$this->assertEquals('/**/callback({"foo":"bar"});', $response->getContent());
|
||||||
$this->assertEquals('text/javascript', $response->headers->get('Content-Type'));
|
$this->assertEquals('text/javascript', $response->headers->get('Content-Type'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user