Changeset 37646 for trunk/src/wp-includes/rest-api/class-wp-rest-server.php

Timestamp:

06/06/2016 09:33:30 PM (10 years ago)

Author:

rachelbaker

Message:

REST API: Create the general wp_check_jsonp_callback() function for validating JSONP callback functions.

Move the REST API JSONP callback validation check into a separate function named wp_check_jsonp_callback(). This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with /**/. This will mitigate the Rosetta Flash exploit. You should also send the X-Content-Type-Options:nosniff header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.

File:

• trunk/src/wp-includes/rest-api/class-wp-rest-server.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/class-wp-rest-server.php

@@ -281 +281 @@
             }
 
-            // Check for invalid characters (only alphanumeric allowed).
-            if ( is_string( $_GET['_jsonp'] ) ) {
-                $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
-                if ( 0 !== $illegal_char_count ) {
-                    $jsonp_callback = null;
-                }
-            }
-            if ( null === $jsonp_callback ) {
+            $jsonp_callback = $_GET['_jsonp'];
+            if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
                 echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
                 return false;