WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

REST API: Create the general `wp_check_jsonp_callback()` function for validating JSONP callback functions. 

Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.
Built from https://develop.svn.wordpress.org/trunk@37646


git-svn-id: http://core.svn.wordpress.org/trunk@37612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Rachel Baker 2016-06-06 21:34:28 +00:00
parent 00056f8d71
commit 99cca27041
3 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
wp-includes/functions.php
View File

@ -3104,6 +3104,28 @@ function wp_send_json_error( $data = null ) {
wp_send_json( $response ); wp_send_json( $response );
} }
/**
* Check that a JSONP callback is a valid JavaScript callback.
*
* Only allows alphanumeric characters and the dot character in callback
* function names. This helps to mitigate XSS attacks caused by directly
* outputting user input.
*
* @since 4.6.0
*
* @param string $callback Supplied JSONP callback function.
* @return bool True if valid callback, otherwise false.
*/
function wp_check_jsonp_callback( $callback ) {
if ( ! is_string( $callback ) ) {
return false;
}
$jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count );
return 0 === $illegal_char_count;
}
/** /**
* Retrieve the WordPress home page URL. * Retrieve the WordPress home page URL.
* *

10
wp-includes/rest-api/class-wp-rest-server.php
View File

@ -280,14 +280,8 @@ class WP_REST_Server {
return false; return false;
} }
// Check for invalid characters (only alphanumeric allowed). $jsonp_callback = $_GET['_jsonp'];
if ( is_string( $_GET['_jsonp'] ) ) { if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
$jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
if ( 0 !== $illegal_char_count ) {
$jsonp_callback = null;
}
}
if ( null === $jsonp_callback ) {
echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 ); echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
return false; return false;
} }

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.6-alpha-37645'; $wp_version = '4.6-alpha-37646';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.