Skip to main content

Is this safe for providing JSONP?

Image
By User 




<?php header('content-type: application/json');



$json = json_encode($data);



echo isset($_GET['callback'])

    ? "{$_GET['callback']}($json)"

    : $json;







Or should I for example filter the $_GET['callback'] variable so that it only contains a valid JavaScript function name? If so, what are valid JavaScript function names?





Or is not filtering that variable a bit of the point with JSONP?







Current solution: Blogged about my current solution at http://www.geekality.net/?p=1021 . In short, for now, I have the following code, which hopefully should be pretty safe:







<?php header('content-type: application/json; charset=utf-8');



function is_valid_callback($subject)

{

     $identifier_syntax

       = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u';



     $reserved_words = array('break', 'do', 'instanceof', 'typeof', 'case',

       'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 

       'for', 'switch', 'while', 'debugger', 'function', 'this', 'with', 

       'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 

       'extends', 'super', 'const', 'export', 'import', 'implements', 'let', 

       'private', 'public', 'yield', 'interface', 'package', 'protected', 

       'static', 'null', 'true', 'false');



     return preg_match($identifier_syntax, $subject)

         && ! in_array(mb_strtolower($subject, 'UTF-8'), $reserved_words);

}



$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);

$json = json_encode($data);



# JSON if no callback

if( ! isset($_GET['callback']))

     exit( $json );



# JSONP if valid callback

if(is_valid_callback($_GET['callback']))

     exit( "{$_GET['callback']}($json)" );



# Otherwise, bad request

header('Status: 400 Bad Request', true, 400);





Source: Tips4all
Labels:

Comments

  1. Tips For AllApril 6, 2012 at 7:34 AM

    No, if you intend to limit the JSONP to select domains. Specify the encoding too or people who shouldn't be able to access the JSON can possibly do UTF-7 injection attacks. Use this header instead:

    header('Content-Type: application/json; charset=utf-8');


    If it's supposed to be a public JSONP service, then yes it is safe, and also use application/javascript instead of application/json.

    ReplyDelete
  2. Tips For AllApril 6, 2012 at 7:34 AM

    I think it is safe. As long as you do not echo $_GET['callback'] in another page without escaping. The one who does the request can put whatever js he wants in it, I think it will always be his problems, not yours. This page provides the definition of a valid js function name : http://www.functionx.com/javascript/Lesson05.htm

    ReplyDelete

Post a Comment

Popular posts from this blog

Slow Android emulator

By User
I have a 2.67 GHz Celeron processor, 1.21 GB of RAM on a x86 Windows XP Professional machine. My understanding is that the Android emulator should start fairly quickly on such a machine, but for me it does not. I have followed all instructions in setting up the IDE, SDKs, JDKs and such and have had some success in staring the emulator quickly but is very particulary. How can I, if possible, fix this problem?
30 comments
Read more