Changeset 1700

Show
Ignore:
Timestamp:
01/09/06 01:37:26
Author:
miyagawa
Message:

sanitize callback params

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved
  • Catalyst-View-JSON/trunk/Changes

    r1699 r1700  
    11Revision history for Perl extension Catalyst::View::JSON 
     2 
     30.03  Sun Jan  8 16:36:36 UTC 2006 
     4        - Added sanitization of callback function names to avoid XSS 
     5          thingy. 
    26 
    370.02  Wed Jan  4 10:41:28 UTC 2006 
  • Catalyst-View-JSON/trunk/lib/Catalyst/View/JSON.pm

    r1699 r1700  
    77use NEXT; 
    88use JSON (); 
     9use Catalyst::Exception; 
    910 
    1011__PACKAGE__->mk_accessors(qw( allow_callback callback_param expose_stash )); 
     
    4950        ? ($self->callback_param || 'callback') : undef; 
    5051    my $cb = $cb_param ? $c->req->param($cb_param) : undef; 
     52    $self->validate_callback_param($cb) if $cb; 
    5153 
    5254    $c->res->content_type('text/javascript+json'); # xxx 
     
    5860 
    5961    $c->res->output($output); 
     62} 
     63 
     64sub validate_callback_param { 
     65    my($self, $param) = @_; 
     66    $param =~ /^[a-zA-Z0-9\.\_\[\]]+$/ 
     67        or Catalyst::Exception->throw("Invalid callback parameter $param"); 
    6068} 
    6169 
     
    154162returned data asynchronously. 
    155163 
     164The valid characters you can use in the callback function are 
     165 
     166  [a-zA-Z0-9\.\_\[\]] 
     167 
     168but you can customize the behaviour by overriding the 
     169C<validate_callback_param> method in your View::JSON class. 
     170 
    156171See Yahoo's nice explanation on 
    157172L<http://developer.yahoo.net/common/json.html> 
  • Catalyst-View-JSON/trunk/t/01_server.t

    r1697 r1700  
    55use lib "$FindBin::Bin/lib"; 
    66 
    7 use Test::More tests => 15
     7use Test::More tests => 17
    88use Catalyst::Test 'TestApp'; 
    99use JSON (); 
     
    2424} 
    2525 
    26 my $entrypoint = 'http://localhost/foo'
     26my $entrypoint = "http://localhost/foo"
    2727 
    28 run_tests(); 
     28
     29    my $request = HTTP::Request->new( GET => $entrypoint ); 
    2930 
    30 sub run_tests { 
     31    ok( my $response = request($request), 'Request' ); 
     32    ok( $response->is_success, 'Response Successful 2xx' ); 
     33    is( $response->code, 200, 'Response Code' ); 
     34    ok( $response->content_type, 'text/javascript+json' ); 
    3135 
    32     # test echo 
    33     { 
    34         my $request = HTTP::Request->new( GET => $entrypoint ); 
     36    my $data = JSON::jsonToObj($response->content); 
     37    is $data->{json_foo}, "bar"; 
     38    is_deeply $data->{json_baz}, [ 1, 2, 3 ]; 
     39    ok ! $data->{foo}, "doesn't return stash that doesn't match json_"; 
     40
    3541 
    36         ok( my $response = request($request), 'Request' ); 
    37         ok( $response->is_success, 'Response Successful 2xx' ); 
    38         is( $response->code, 200, 'Response Code' ); 
    39         ok( $response->content_type, 'text/javascript+json' ); 
     42
     43    my $request = HTTP::Request->new( GET => $entrypoint . "?cb=foobar" ); 
    4044 
    41         my $data = JSON::jsonToObj($response->content); 
    42         is $data->{json_foo}, "bar"; 
    43         is_deeply $data->{json_baz}, [ 1, 2, 3 ]; 
    44         ok ! $data->{foo}, "doesn't return stash that doesn't match json_"; 
    45     } 
     45    ok( my $response = request($request), 'Request' ); 
     46    ok( $response->is_success, 'Response Successful 2xx' ); 
     47    is( $response->code, 200, 'Response Code' ); 
     48    ok( $response->content_type, 'text/javascript+json' ); 
    4649 
    47     { 
    48         my $request = HTTP::Request->new( GET => $entrypoint . "?cb=foobar" )
     50    my $body = $response->content; 
     51    ok $body =~ s/^foobar\((.*?)\);$/$1/sg, "wrapped in a callback"
    4952 
    50         ok( my $response = request($request), 'Request' ); 
    51         ok( $response->is_success, 'Response Successful 2xx' ); 
    52         is( $response->code, 200, 'Response Code' ); 
    53         ok( $response->content_type, 'text/javascript+json' ); 
     53    my $data = JSON::jsonToObj($body); 
     54    is $data->{json_foo}, "bar"; 
     55    is_deeply $data->{json_baz}, [ 1, 2, 3 ]; 
     56    ok ! $data->{foo}, "doesn't return stash that doesn't match json_"; 
     57
    5458 
    55         my $body = $response->content; 
    56         ok $body =~ s/^foobar\((.*?)\);$/$1/sg, "wrapped in a callback"
     59
     60    my $request = HTTP::Request->new( GET => $entrypoint . "?cb=foobar%28" )
    5761 
    58         my $data = JSON::jsonToObj($body); 
    59         is $data->{json_foo}, "bar"; 
    60         is_deeply $data->{json_baz}, [ 1, 2, 3 ]; 
    61         ok ! $data->{foo}, "doesn't return stash that doesn't match json_"; 
    62     } 
    63  
     62    ok( my $response = request($request), 'Request' ); 
     63    like $response->header('X-Error'), qr/Invalid callback parameter/; 
    6464} 
  • Catalyst-View-JSON/trunk/t/lib/TestApp.pm

    r1697 r1700  
    2828} 
    2929 
     30sub finalize_error { 
     31    my $c = shift; 
     32    $c->res->header('X-Error' => $c->error->[0]); 
     33    $c->NEXT::finalize_error; 
     34} 
     35 
    30361;