Merge pull request from GHSA-gv9r-qcjc-5hj7

* Filter JSONP callback function name. v5.0.210,v6.0.121

* Add utest.

* Refine utest

Author: winlinvip

trunk/configure

@@ -464,7 +464,7 @@ if [[ $SRS_UTEST == YES ]]; then
     MODULE_FILES=("srs_utest" "srs_utest_amf0" "srs_utest_kernel" "srs_utest_core"
         "srs_utest_config" "srs_utest_rtmp" "srs_utest_http" "srs_utest_avc" "srs_utest_reload"
         "srs_utest_mp4" "srs_utest_service" "srs_utest_app" "srs_utest_rtc" "srs_utest_config2"
-        "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2")
+        "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2" "srs_utest_protocol3")
     if [[ $SRS_SRT == YES ]]; then
         MODULE_FILES+=("srs_utest_srt")
     fi

trunk/doc/CHANGELOG.md

@@ -7,6 +7,7 @@ The changelog for SRS.
 <a name="v5-changes"></a>
 
 ## SRS 5.0 Changelog
+* v5.0, 2024-03-26, Filter JSONP callback function name. v5.0.210
 * v5.0, 2024-03-19, Merge [#3990](https://github.com/ossrs/srs/pull/3990): System: Disable feature that obtains versions and check features status. v5.0.209 (#3990)
 * v5.0, 2024-02-06, Merge [#3920](https://github.com/ossrs/srs/pull/3920): WHIP: Fix bug for converting WHIP to RTMP/HLS. v5.0.208 (#3920)
 * v5.0, 2024-02-05, Merge [#3925](https://github.com/ossrs/srs/pull/3925): RTC: Fix video and audio track pt_ is not change in player before publisher. v5.0.207 (#3925)

trunk/src/core/srs_core_version5.hpp

@@ -9,6 +9,6 @@
 
 #define VERSION_MAJOR       5
 #define VERSION_MINOR       0
-#define VERSION_REVISION    209
+#define VERSION_REVISION    210
 
 #endif

trunk/src/kernel/srs_kernel_error.hpp

@@ -323,6 +323,7 @@
     XX(ERROR_GB_SSRC_GENERATE              , 4051, "GbSsrcGenerate", "Failed to generate SSRC for GB28181") \
     XX(ERROR_GB_CONFIG                     , 4052, "GbConfig", "Invalid configuration for GB28181") \
     XX(ERROR_GB_TIMEOUT                    , 4053, "GbTimeout", "SIP or media connection timeout for GB28181") \
+    XX(ERROR_HTTP_JSONP                    , 4058, "HttpJsonp", "Invalid callback for JSONP")
 
 /**************************************************/
 /* RTC protocol error. */

trunk/src/protocol/srs_protocol_http_conn.cpp

@@ -332,6 +332,20 @@ void SrsHttpMessage::set_header(SrsHttpHeader* header, bool keep_alive)
     }
 }
 
+// For callback function name, only allow [a-zA-Z0-9_-.] characters.
+bool srs_is_valid_jsonp_callback(std::string callback)
+{
+    for (int i = 0; i < (int)callback.length(); i++) {
+        char ch = callback.at(i);
+        bool is_alpha_beta = (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z');
+        bool is_number = (ch >= '0' && ch <= '9');
+        if (!is_alpha_beta && !is_number && ch != '.' && ch != '_' && ch != '-') {
+            return false;
+        }
+    }
+    return true;
+}
+
 srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
 {
     srs_error_t err = srs_success;
@@ -373,12 +387,16 @@ srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
 
     // parse jsonp request message.
     if (allow_jsonp) {
-        if (!query_get("callback").empty()) {
-            jsonp = true;
-        }
+        string callback= query_get("callback");
+        jsonp = !callback.empty();
+
         if (jsonp) {
             jsonp_method = query_get("method");
         }
+
+        if (!srs_is_valid_jsonp_callback(callback)) {
+            return srs_error_new(ERROR_HTTP_JSONP, "invalid callback=%s", callback.c_str());
+        }
     }
 
     return err;

trunk/src/utest/srs_utest_protocol3.cpp

@@ -0,0 +1,39 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+#include <srs_utest_protocol3.hpp>
+
+using namespace std;
+
+#include <srs_kernel_error.hpp>
+#include <srs_core_autofree.hpp>
+#include <srs_protocol_utility.hpp>
+#include <srs_protocol_rtmp_msg_array.hpp>
+#include <srs_protocol_rtmp_stack.hpp>
+#include <srs_kernel_utility.hpp>
+#include <srs_app_st.hpp>
+#include <srs_protocol_amf0.hpp>
+#include <srs_protocol_rtmp_stack.hpp>
+#include <srs_protocol_http_conn.hpp>
+#include <srs_protocol_protobuf.hpp>
+#include <srs_kernel_buffer.hpp>
+
+extern bool srs_is_valid_jsonp_callback(std::string callback);
+
+VOID TEST(ProtocolHttpTest, JsonpCallbackName)
+{
+    EXPECT_TRUE(srs_is_valid_jsonp_callback(""));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("callback"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback-1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback_1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback.1234567890"));
+    EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890-_."));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback()//"));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback!"));
+    EXPECT_FALSE(srs_is_valid_jsonp_callback("callback;"));
+}
+

trunk/src/utest/srs_utest_protocol3.hpp

@@ -0,0 +1,16 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+
+#ifndef SRS_UTEST_PROTOCOL3_HPP
+#define SRS_UTEST_PROTOCOL3_HPP
+
+/*
+#include <srs_utest_protocol3.hpp>
+*/
+#include <srs_utest_protocol.hpp>
+
+#endif
+