Fix: be less restrictive on callback validation

willdurand · willdurand · commit fd37b116a0e1 · 2013-10-17T15:25:56.000+02:00
diff --git a/Controller/Controller.php b/Controller/Controller.php
@@ -102,7 +102,7 @@ public function indexAction(Request $request, $_format)
         $content = file_get_contents((string) $cache);
 
         if (null !== $callback = $request->query->get('callback')) {
-            if (false === ctype_alnum($callback)) {
+            if (0 === preg_match('/^[a-zA-Z0-9\.$_]+$/', $callback)) {
                 throw new HttpException(400, 'Invalid JSONP callback value');
             }
 
diff --git a/Tests/Controller/ControllerTest.php b/Tests/Controller/ControllerTest.php
@@ -39,12 +39,29 @@ public function testIndexAction()
         $this->assertEquals('{"base_url":"","routes":{"literal":{"tokens":[["text","\/homepage"]],"defaults":[],"requirements":[],"hosttokens":[]},"blog":{"tokens":[["variable","\/","[^\/]+?","slug"],["text","\/blog-post"]],"defaults":[],"requirements":[],"hosttokens":[["text","localhost"]]}},"prefix":"","host":"","scheme":""}', $response->getContent());
     }
 
-    public function testGenerateWithCallback()
+    /**
+     * @dataProvider dataProviderForTestGenerateWithCallback
+     */
+    public function testGenerateWithCallback($callback)
     {
         $controller = new Controller($this->getSerializer(), $this->getExtractor());
-        $response   = $controller->indexAction($this->getRequest('/', 'GET', array('callback' => 'foo')), 'json');
+        $response   = $controller->indexAction($this->getRequest('/', 'GET', array('callback' => $callback)), 'json');
 
-        $this->assertEquals('foo({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $response->getContent());
+        $this->assertEquals(
+            sprintf('%s({"base_url":"","routes":[],"prefix":"","host":"","scheme":""});', $callback),
+            $response->getContent()
+        );
+    }
+
+    public static function dataProviderForTestGenerateWithCallback()
+    {
+        return array(
+            array('foo'),
+            array('foo123'),
+            array('fos.Router.data'),
+            array('$.callback'),
+            array('_.callback'),
+        );
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ public function indexAction(Request $request, $_format)`
`102`	`102`	`$content = file_get_contents((string) $cache);`
`103`	`103`
`104`	`104`	`if (null !== $callback = $request->query->get('callback')) {`
`105`		`- if (false === ctype_alnum($callback)) {`
	`105`	`+ if (0 === preg_match('/^[a-zA-Z0-9\.$_]+$/', $callback)) {`
`106`	`106`	`throw new HttpException(400, 'Invalid JSONP callback value');`
`107`	`107`	`}`
`108`	`108`