fix jsonp rosetta flash vulnerability, see http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Author: monken

lib/MetaCPAN/Server/View/JSONP.pm

@@ -23,7 +23,7 @@ sub process {
     if ( $content_type ne 'application/json' ) {
         $body = JSON->new->allow_nonref->ascii->encode($body);
     }
-    $c->res->body("$cb($body);");
+    $c->res->body("/**/$cb($body);");
     return 1;
 }
 

t/server/controller/author.t

@@ -34,7 +34,7 @@ test_psgi app, sub {
         'text/javascript; charset=UTF-8',
         'Content-type'
     );
-    like( $res->content, qr/^jsonp\(.*\);$/ms, 'includes jsonp callback' );
+    like( $res->content, qr/^\/\*\*\/jsonp\(.*\);$/ms, 'includes jsonp callback' );
 
     ok(
         $res = $cb->(

t/server/controller/pod.t

@@ -59,7 +59,7 @@ test_psgi app, sub {
             'text/javascript; charset=UTF-8',
             'Content-type'
         );
-        ok( my ($function_args) = $res->content =~ /^foo\((.*)\)/s,
+        ok( my ($function_args) = $res->content =~ /^\/\*\*\/foo\((.*)\)/s,
             'callback included' );
         ok( my $jsdata = JSON->new->allow_nonref->decode($function_args),
             'decode json' );

t/server/controller/source.t

@@ -49,7 +49,7 @@ test_psgi app, sub {
                     )
             );
             if ( $k =~ /callback=foo/ ) {
-                ok( my ($function_args) = $res->content =~ /^foo\((.*)\)/s,
+                ok( my ($function_args) = $res->content =~ /^\/\*\*\/foo\((.*)\)/s,
                     'JSONP wrapper' );
                 ok(
                     my $jsdata
@@ -90,7 +90,7 @@ test_psgi app, sub {
                 'text/javascript; charset=UTF-8',
                 'Content-type'
             );
-            ok( my ($function_args) = $res->content =~ /^foo\((.*)\)/s,
+            ok( my ($function_args) = $res->content =~ /^\/\*\*\/foo\((.*)\)/s,
                 'JSONP wrapper' );
             ok(
                 my $jsdata = JSON->new->allow_nonref->decode($function_args),