feature symfony#11367 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) (Andrew Moore)

fabpot · fabpot · commit 06fc97ead8e8 · 2014-07-15T15:35:51.000+02:00
This PR was merged into the 2.3 branch. Discussion ---------- [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no* | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A | CVE Ticket | [CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671) | See Also | [Rosetta Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/) \* Unless you are parsing the response string manually, which you really shouldn't do anyway **THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY** This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint. This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback. Commits ------- 6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
diff --git a/src/Symfony/Component/HttpFoundation/JsonResponse.php b/src/Symfony/Component/HttpFoundation/JsonResponse.php
@@ -111,7 +111,7 @@ protected function update()
             // Not using application/javascript for compatibility reasons with older browsers.
             $this->headers->set('Content-Type', 'text/javascript');
 
-            return $this->setContent(sprintf('%s(%s);', $this->callback, $this->data));
+            return $this->setContent(sprintf('/**/%s(%s);', $this->callback, $this->data));
         }
 
         // Only set the header when there is none or when it equals 'text/javascript' (from a previous update with callback)
diff --git a/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php b/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php
@@ -155,7 +155,7 @@ public function testSetCallback()
     {
         $response = JsonResponse::create(array('foo' => 'bar'))->setCallback('callback');
 
-        $this->assertEquals('callback({"foo":"bar"});', $response->getContent());
+        $this->assertEquals('/**/callback({"foo":"bar"});', $response->getContent());
         $this->assertEquals('text/javascript', $response->headers->get('Content-Type'));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ protected function update()`
`111`	`111`	`// Not using application/javascript for compatibility reasons with older browsers.`
`112`	`112`	`$this->headers->set('Content-Type', 'text/javascript');`
`113`	`113`
`114`		`- return $this->setContent(sprintf('%s(%s);', $this->callback, $this->data));`
	`114`	`+ return $this->setContent(sprintf('/**/%s(%s);', $this->callback, $this->data));`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`// Only set the header when there is none or when it equals 'text/javascript' (from a previous update with callback)`
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ public function testSetCallback()`
`155`	`155`	`{`
`156`	`156`	`$response = JsonResponse::create(array('foo' => 'bar'))->setCallback('callback');`
`157`	`157`
`158`		`- $this->assertEquals('callback({"foo":"bar"});', $response->getContent());`
	`158`	`+ $this->assertEquals('/**/callback({"foo":"bar"});', $response->getContent());`
`159`	`159`	`$this->assertEquals('text/javascript', $response->headers->get('Content-Type'));`
`160`	`160`	`}`
`161`	`161`