From 23f5a4f4091fa088ceaad021ced6874b3ab58133 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Thu, 17 Jul 2014 13:24:56 -0700
Subject: [PATCH] SECURITY: Prepend jsonp callback with comment

Mitigate CVE-2014-4671 for unpatched flash players

Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15
---
 includes/api/ApiFormatJson.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index 342a580..4140583 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -65,7 +65,9 @@ class ApiFormatJson extends ApiFormatBase {
 		$callback = $params['callback'];
 		if ( $callback !== null ) {
 			$callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback );
-			$this->printText( "$callback($json)" );
+			# Prepend a comment to try to avoid attacks against content
+			# sniffers, such as bug 68187.
+			$this->printText( "/**/$callback($json)" );
 		} else {
 			$this->printText( $json );
 		}
-- 
1.9.2.msysgit.0