allow dots in the jsonp callback and prefix content with a comment

Michael Merickel

2015-04-27 ed4bba285591d4da0ff8b73ed0db7c374de82c9a

allow dots in the jsonp callback and prefix content with a comment

The comment prefix should potential exploints from flash plugins (See
CVE-2014-4671 "Rosetta Flash").

 pyramid/renderers.py

@@ -308,7 +308,7 @@

json_renderer_factory = JSON() # bw compat

JSONP_VALID_CALLBACK = re.compile(r"^[a-zA-Z_$][0-9a-zA-Z_$]+$")
JSONP_VALID_CALLBACK = re.compile(r"^[$a-z_][$0-9a-z_\.\[\]]+[^.]$", re.I)

class JSONP(JSON):
    """ `JSONP <http://en.wikipedia.org/wiki/JSONP>`_ renderer factory helper
@@ -396,7 +396,7 @@
                        raise HTTPBadRequest('Invalid JSONP callback function name.')

                    ct = 'application/javascript'
                    body = '%s(%s);' % (callback, val)
                    body = '/**/{0}({1});'.format(callback, val)
                response = request.response
                if response.content_type == response.default_content_type:
                    response.content_type = ct

 pyramid/tests/test_renderers.py

@@ -669,7 +669,17 @@
        request = testing.DummyRequest()
        request.GET['callback'] = 'callback'
        result = renderer({'a':'1'}, {'request':request})
        self.assertEqual(result, 'callback({"a": "1"});')
        self.assertEqual(result, '/**/callback({"a": "1"});')
        self.assertEqual(request.response.content_type,
                         'application/javascript')

    def test_render_to_jsonp_with_dot(self):
        renderer_factory = self._makeOne()
        renderer = renderer_factory(None)
        request = testing.DummyRequest()
        request.GET['callback'] = 'angular.callbacks._0'
        result = renderer({'a':'1'}, {'request':request})
        self.assertEqual(result, '/**/angular.callbacks._0({"a": "1"});')
        self.assertEqual(request.response.content_type,
                         'application/javascript')