Merge pull request from GHSA-gv9r-qcjc-5hj7

* Filter JSONP callback function name. v5.0.210,v6.0.121 * Add utest. * Refine utest
2025-03-09 15:49:59 +00:00 · 2024-03-26 19:30:52 +08:00 · 2024-03-26 19:30:52 +08:00 · 244ce7bc01
commit 244ce7bc01
parent 08971e5905
8 changed files with 83 additions and 7 deletions
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@ -9,6 +9,6 @@

 #define VERSION_MAJOR       5
 #define VERSION_MINOR       0
-#define VERSION_REVISION    209
+#define VERSION_REVISION    210

 #endif
--- a/trunk/src/core/srs_core_version6.hpp
+++ b/trunk/src/core/srs_core_version6.hpp
@ -9,6 +9,6 @@

 #define VERSION_MAJOR       6
 #define VERSION_MINOR       0
-#define VERSION_REVISION    120
+#define VERSION_REVISION    121

 #endif
--- a/trunk/src/kernel/srs_kernel_error.hpp
+++ b/trunk/src/kernel/srs_kernel_error.hpp
@ -332,7 +332,8 @@
    XX(ERROR_STREAM_CASTER_HEVC_VPS        , 4054, "CasterTsHevcVps", "Invalid ts HEVC VPS for stream caster") \
    XX(ERROR_STREAM_CASTER_HEVC_SPS        , 4055, "CasterTsHevcSps", "Invalid ts HEVC SPS for stream caster") \
    XX(ERROR_STREAM_CASTER_HEVC_PPS        , 4056, "CasterTsHevcPps", "Invalid ts HEVC PPS for stream caster") \
-    XX(ERROR_STREAM_CASTER_HEVC_FORMAT     , 4057, "CasterTsHevcFormat", "Invalid ts HEVC Format for stream caster")
+    XX(ERROR_STREAM_CASTER_HEVC_FORMAT     , 4057, "CasterTsHevcFormat", "Invalid ts HEVC Format for stream caster") \
+    XX(ERROR_HTTP_JSONP                    , 4058, "HttpJsonp", "Invalid callback for JSONP")


 /**************************************************/
--- a/trunk/src/protocol/srs_protocol_http_conn.cpp
+++ b/trunk/src/protocol/srs_protocol_http_conn.cpp
@ -332,6 +332,20 @@ void SrsHttpMessage::set_header(SrsHttpHeader* header, bool keep_alive)
    }
 }

+// For callback function name, only allow [a-zA-Z0-9_-.] characters.
+bool srs_is_valid_jsonp_callback(std::string callback)
+{
+    for (int i = 0; i < (int)callback.length(); i++) {
+        char ch = callback.at(i);
+        bool is_alpha_beta = (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z');
+        bool is_number = (ch >= '0' && ch <= '9');
+        if (!is_alpha_beta && !is_number && ch != '.' && ch != '_' && ch != '-') {
+            return false;
+        }
+    }
+    return true;
+}
+
 srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
 {
    srs_error_t err = srs_success;
@ -373,12 +387,16 @@ srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
    
    // parse jsonp request message.
    if (allow_jsonp) {
-        if (!query_get("callback").empty()) {
-            jsonp = true;
-        }
+        string callback= query_get("callback");
+        jsonp = !callback.empty();
+
        if (jsonp) {
            jsonp_method = query_get("method");
        }
+
+        if (!srs_is_valid_jsonp_callback(callback)) {
+            return srs_error_new(ERROR_HTTP_JSONP, "invalid callback=%s", callback.c_str());
+        }
    }
    
    return err;
--- a/trunk/src/utest/srs_utest_protocol3.cpp
+++ b/trunk/src/utest/srs_utest_protocol3.cpp
@ -0,0 +1,39 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+#include <srs_utest_protocol3.hpp>
+
+using namespace std;
+
+#include <srs_kernel_error.hpp>
+#include <srs_core_autofree.hpp>
+#include <srs_protocol_utility.hpp>
+#include <srs_protocol_rtmp_msg_array.hpp>
+#include <srs_protocol_rtmp_stack.hpp>
+#include <srs_kernel_utility.hpp>
+#include <srs_app_st.hpp>
+#include <srs_protocol_amf0.hpp>
+#include <srs_protocol_rtmp_stack.hpp>
+#include <srs_protocol_http_conn.hpp>
+#include <srs_protocol_protobuf.hpp>
+#include <srs_kernel_buffer.hpp>
+
+extern bool srs_is_valid_jsonp_callback(std::string callback);
+
+VOID TEST(ProtocolHttpTest, JsonpCallbackName)
+{
+    EXPECT_TRUE(srs_is_valid_jsonp_callback(""));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("callback"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback-1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback_1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback.1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890-_."));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback()//"));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback!"));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback;"));
+}
+
--- a/trunk/src/utest/srs_utest_protocol3.hpp
+++ b/trunk/src/utest/srs_utest_protocol3.hpp
@ -0,0 +1,16 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+
+#ifndef SRS_UTEST_PROTOCOL3_HPP
+#define SRS_UTEST_PROTOCOL3_HPP
+
+/*
+#include <srs_utest_protocol3.hpp>
+*/
+#include <srs_utest_protocol.hpp>
+
+#endif
+