提供JSONP是否安全？ [英] Is this safe for providing JSONP?

问题描述

<?php header('content-type: application/json');

$json = json_encode($data);

echo isset($_GET['callback'])
    ? "{$_GET['callback']}($json)"
    : $json;

或者我应该过滤 $ _ GET ['callback'] 变量，以便它只包含有效的JavaScript函数名称？如果有，那么什么是有效的JavaScript函数名？

Or should I for example filter the $_GET['callback'] variable so that it only contains a valid JavaScript function name? If so, what are valid JavaScript function names?

或者是不是用JSONP过滤了那个变量？

Or is not filtering that variable a bit of the point with JSONP?

当前解决方案：在 http://www.geekality.net/?p=1021 。简而言之，就目前而言，我有以下代码，希望它们非常安全：

Current solution: Blogged about my current solution at http://www.geekality.net/?p=1021. In short, for now, I have the following code, which hopefully should be pretty safe:

<?php header('content-type: application/json; charset=utf-8');

function is_valid_callback($subject)
{
     $identifier_syntax
       = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u';

     $reserved_words = array('break', 'do', 'instanceof', 'typeof', 'case',
       'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 
       'for', 'switch', 'while', 'debugger', 'function', 'this', 'with', 
       'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 
       'extends', 'super', 'const', 'export', 'import', 'implements', 'let', 
       'private', 'public', 'yield', 'interface', 'package', 'protected', 
       'static', 'null', 'true', 'false');

     return preg_match($identifier_syntax, $subject)
         && ! in_array(mb_strtolower($subject, 'UTF-8'), $reserved_words);
}

$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
$json = json_encode($data);

# JSON if no callback
if( ! isset($_GET['callback']))
     exit( $json );

# JSONP if valid callback
if(is_valid_callback($_GET['callback']))
     exit( "{$_GET['callback']}($json)" );

# Otherwise, bad request
header('Status: 400 Bad Request', true, 400);

推荐答案

不，如果您打算限制JSONP选择域。也指定编码，或者不能访问JSON的人可能会执行UTF-7注入攻击。请改用此标头：

No, if you intend to limit the JSONP to select domains. Specify the encoding too or people who shouldn't be able to access the JSON can possibly do UTF-7 injection attacks. Use this header instead:

header('Content-Type: application/json; charset=utf-8');

如果它应该是公共JSONP服务，那么它是安全的，并且还使用 application / javascript 而不是 application / json 。

If it's supposed to be a public JSONP service, then yes it is safe, and also use application/javascript instead of application/json.

这篇关于提供JSONP是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！