From 23439ca7e6882551be0e52b50dcc30c7eeb5da07 Mon Sep 17 00:00:00 2001 From: Michael Ziegler Date: Mon, 25 Jul 2011 19:07:24 +0200 Subject: [PATCH] validate the jsonp callback name to prevent xss --- pyweb/mumble/views.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pyweb/mumble/views.py b/pyweb/mumble/views.py index 114a9ea..224af8e 100644 --- a/pyweb/mumble/views.py +++ b/pyweb/mumble/views.py @@ -20,6 +20,8 @@ try: except ImportError: import json as simplejson +import re + from StringIO import StringIO from PIL import Image @@ -46,6 +48,12 @@ EXT_DIRECT_PROVIDER = Provider() EXT_DIRECT_PROVIDER._register_method( "Accounts", login ) EXT_DIRECT_PROVIDER._register_method( "Accounts", logout ) + +def validate_jsonp_callback(callback): + if not re.match( "^[a-zA-Z][\w.]+$", callback ): + raise Http404("Illegal characters in callback") + + def redir( request ): """ Redirect to the servers list. """ if 'HTTP_USER_AGENT' in request.META and ( @@ -514,6 +522,7 @@ def mmng_tree( request, server ): if "callback" in request.GET: prefix = request.GET["callback"] + validate_jsonp_callback(prefix) else: prefix = "" @@ -550,6 +559,7 @@ def cvp_json( request, server ): json = simplejson.dumps( srv.asDict( cvp_checkauth( request, srv ) ) ) if "callback" in request.GET: + validate_jsonp_callback(request.GET["callback"]) ret = "%s(%s)" % ( request.GET["callback"], json ) else: ret = json @@ -585,6 +595,7 @@ def mumbleviewer_tree_json( request, server ): if "jsonp_callback" in request.GET: prefix = request.GET["jsonp_callback"] + validate_jsonp_callback(prefix) else: prefix = ""