From 9d407a37a4ec361a512b1ea6eaf7faec4a77e2b9 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Thu, 17 Jul 2014 13:24:56 -0700
Subject: [PATCH] SECURITY: Prepend jsonp callback with comment

Mitigate CVE-2014-4671 for unpatched flash players

Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15
---
 includes/api/ApiFormatJson.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index e728d05..6a13fa1 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -62,6 +62,9 @@ class ApiFormatJson extends ApiFormatBase {
 		$callback = $params['callback'];
 		if ( !is_null( $callback ) ) {
 			$prefix = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ) . '(';
+			# Prepend a comment to try to avoid attacks against content
+			# sniffers, such as bug 68187.
+			$prefix = ( "/**/$prefix" );
 			$suffix = ')';
 		}
 		$this->printText(
-- 
1.9.2.msysgit.0