REST API: Create the general wp_check_jsonp_callback()
function for validating JSONP callback functions.
Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks. Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure. Props rmccue. Fixes #28523. git-svn-id: https://develop.svn.wordpress.org/trunk@37646 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
9da22fc4d9
commit
25c3618138
@ -3104,6 +3104,28 @@ function wp_send_json_error( $data = null ) {
|
|||||||
wp_send_json( $response );
|
wp_send_json( $response );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check that a JSONP callback is a valid JavaScript callback.
|
||||||
|
*
|
||||||
|
* Only allows alphanumeric characters and the dot character in callback
|
||||||
|
* function names. This helps to mitigate XSS attacks caused by directly
|
||||||
|
* outputting user input.
|
||||||
|
*
|
||||||
|
* @since 4.6.0
|
||||||
|
*
|
||||||
|
* @param string $callback Supplied JSONP callback function.
|
||||||
|
* @return bool True if valid callback, otherwise false.
|
||||||
|
*/
|
||||||
|
function wp_check_jsonp_callback( $callback ) {
|
||||||
|
if ( ! is_string( $callback ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count );
|
||||||
|
|
||||||
|
return 0 === $illegal_char_count;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieve the WordPress home page URL.
|
* Retrieve the WordPress home page URL.
|
||||||
*
|
*
|
||||||
|
@ -280,14 +280,8 @@ class WP_REST_Server {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check for invalid characters (only alphanumeric allowed).
|
$jsonp_callback = $_GET['_jsonp'];
|
||||||
if ( is_string( $_GET['_jsonp'] ) ) {
|
if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
|
||||||
$jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
|
|
||||||
if ( 0 !== $illegal_char_count ) {
|
|
||||||
$jsonp_callback = null;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if ( null === $jsonp_callback ) {
|
|
||||||
echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
|
echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -322,4 +322,29 @@ class Tests_REST_API extends WP_UnitTestCase {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function jsonp_callback_provider() {
|
||||||
|
return array(
|
||||||
|
// Standard names
|
||||||
|
array( 'Springfield', true ),
|
||||||
|
array( 'shelby.ville', true ),
|
||||||
|
array( 'cypress_creek', true ),
|
||||||
|
array( 'KampKrusty1', true ),
|
||||||
|
|
||||||
|
// Invalid names
|
||||||
|
array( 'ogden-ville', false ),
|
||||||
|
array( 'north haverbrook', false ),
|
||||||
|
array( "Terror['Lake']", false ),
|
||||||
|
array( 'Cape[Feare]', false ),
|
||||||
|
array( '"NewHorrorfield"', false ),
|
||||||
|
array( 'Scream\\ville', false ),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider jsonp_callback_provider
|
||||||
|
*/
|
||||||
|
public function test_jsonp_callback_check( $callback, $valid ) {
|
||||||
|
$this->assertEquals( $valid, wp_check_jsonp_callback( $callback ) );
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user