diff --git a/trunk/configure b/trunk/configure
index ca4f28a11..355d48432 100755
--- a/trunk/configure
+++ b/trunk/configure
@@ -464,7 +464,7 @@ if [[ $SRS_UTEST == YES ]]; then
MODULE_FILES=("srs_utest" "srs_utest_amf0" "srs_utest_kernel" "srs_utest_core"
"srs_utest_config" "srs_utest_rtmp" "srs_utest_http" "srs_utest_avc" "srs_utest_reload"
"srs_utest_mp4" "srs_utest_service" "srs_utest_app" "srs_utest_rtc" "srs_utest_config2"
- "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2")
+ "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2" "srs_utest_protocol3")
if [[ $SRS_SRT == YES ]]; then
MODULE_FILES+=("srs_utest_srt")
fi
diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md
index b3d0d3566..116255185 100644
--- a/trunk/doc/CHANGELOG.md
+++ b/trunk/doc/CHANGELOG.md
@@ -7,6 +7,7 @@ The changelog for SRS.
## SRS 6.0 Changelog
+* v6.0, 2024-03-26, Filter JSONP callback function name. v6.0.121
* v6.0, 2024-03-26, Merge [#3995](https://github.com/ossrs/srs/pull/3995): Build: Refine workflow for cygwin and remove scorecard. v6.0.120 (#3995)
* v6.0, 2024-03-26, Merge [#4005](https://github.com/ossrs/srs/pull/4005): Build: Fix module failed for main_ingest_hls and mp4_parser. v6.0.119 (#4005)
* v6.0, 2024-03-24, Merge [#3989](https://github.com/ossrs/srs/pull/3989): ST: Research adds examples that demos pthread and helloworld. v6.0.118 (#3989)
@@ -131,6 +132,7 @@ The changelog for SRS.
## SRS 5.0 Changelog
+* v5.0, 2024-03-26, Filter JSONP callback function name. v5.0.210
* v5.0, 2024-03-19, Merge [#3990](https://github.com/ossrs/srs/pull/3990): System: Disable feature that obtains versions and check features status. v5.0.209 (#3990)
* v5.0, 2024-02-06, Merge [#3920](https://github.com/ossrs/srs/pull/3920): WHIP: Fix bug for converting WHIP to RTMP/HLS. v5.0.208 (#3920)
* v5.0, 2024-02-05, Merge [#3925](https://github.com/ossrs/srs/pull/3925): RTC: Fix video and audio track pt_ is not change in player before publisher. v5.0.207 (#3925)
diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp
index 957b7e7bc..bbd2af29c 100644
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@@ -9,6 +9,6 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 0
-#define VERSION_REVISION 209
+#define VERSION_REVISION 210
#endif
diff --git a/trunk/src/core/srs_core_version6.hpp b/trunk/src/core/srs_core_version6.hpp
index 7566b8cf7..e19b872bf 100644
--- a/trunk/src/core/srs_core_version6.hpp
+++ b/trunk/src/core/srs_core_version6.hpp
@@ -9,6 +9,6 @@
#define VERSION_MAJOR 6
#define VERSION_MINOR 0
-#define VERSION_REVISION 120
+#define VERSION_REVISION 121
#endif
diff --git a/trunk/src/kernel/srs_kernel_error.hpp b/trunk/src/kernel/srs_kernel_error.hpp
index 85329e166..f24895b46 100644
--- a/trunk/src/kernel/srs_kernel_error.hpp
+++ b/trunk/src/kernel/srs_kernel_error.hpp
@@ -332,7 +332,8 @@
XX(ERROR_STREAM_CASTER_HEVC_VPS , 4054, "CasterTsHevcVps", "Invalid ts HEVC VPS for stream caster") \
XX(ERROR_STREAM_CASTER_HEVC_SPS , 4055, "CasterTsHevcSps", "Invalid ts HEVC SPS for stream caster") \
XX(ERROR_STREAM_CASTER_HEVC_PPS , 4056, "CasterTsHevcPps", "Invalid ts HEVC PPS for stream caster") \
- XX(ERROR_STREAM_CASTER_HEVC_FORMAT , 4057, "CasterTsHevcFormat", "Invalid ts HEVC Format for stream caster")
+ XX(ERROR_STREAM_CASTER_HEVC_FORMAT , 4057, "CasterTsHevcFormat", "Invalid ts HEVC Format for stream caster") \
+ XX(ERROR_HTTP_JSONP , 4058, "HttpJsonp", "Invalid callback for JSONP")
/**************************************************/
diff --git a/trunk/src/protocol/srs_protocol_http_conn.cpp b/trunk/src/protocol/srs_protocol_http_conn.cpp
index 7b91b8afb..3f7651392 100644
--- a/trunk/src/protocol/srs_protocol_http_conn.cpp
+++ b/trunk/src/protocol/srs_protocol_http_conn.cpp
@@ -332,6 +332,20 @@ void SrsHttpMessage::set_header(SrsHttpHeader* header, bool keep_alive)
}
}
+// For callback function name, only allow [a-zA-Z0-9_-.] characters.
+bool srs_is_valid_jsonp_callback(std::string callback)
+{
+ for (int i = 0; i < (int)callback.length(); i++) {
+ char ch = callback.at(i);
+ bool is_alpha_beta = (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z');
+ bool is_number = (ch >= '0' && ch <= '9');
+ if (!is_alpha_beta && !is_number && ch != '.' && ch != '_' && ch != '-') {
+ return false;
+ }
+ }
+ return true;
+}
+
srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
{
srs_error_t err = srs_success;
@@ -373,12 +387,16 @@ srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
// parse jsonp request message.
if (allow_jsonp) {
- if (!query_get("callback").empty()) {
- jsonp = true;
- }
+ string callback= query_get("callback");
+ jsonp = !callback.empty();
+
if (jsonp) {
jsonp_method = query_get("method");
}
+
+ if (!srs_is_valid_jsonp_callback(callback)) {
+ return srs_error_new(ERROR_HTTP_JSONP, "invalid callback=%s", callback.c_str());
+ }
}
return err;
diff --git a/trunk/src/utest/srs_utest_protocol3.cpp b/trunk/src/utest/srs_utest_protocol3.cpp
new file mode 100644
index 000000000..a86e1aa9f
--- /dev/null
+++ b/trunk/src/utest/srs_utest_protocol3.cpp
@@ -0,0 +1,39 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+#include
+
+using namespace std;
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+extern bool srs_is_valid_jsonp_callback(std::string callback);
+
+VOID TEST(ProtocolHttpTest, JsonpCallbackName)
+{
+ EXPECT_TRUE(srs_is_valid_jsonp_callback(""));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("callback"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback-1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback_1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback.1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890-_."));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback()//"));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback!"));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback;"));
+}
+
diff --git a/trunk/src/utest/srs_utest_protocol3.hpp b/trunk/src/utest/srs_utest_protocol3.hpp
new file mode 100644
index 000000000..d0fa6f8a5
--- /dev/null
+++ b/trunk/src/utest/srs_utest_protocol3.hpp
@@ -0,0 +1,16 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+
+#ifndef SRS_UTEST_PROTOCOL3_HPP
+#define SRS_UTEST_PROTOCOL3_HPP
+
+/*
+#include
+*/
+#include
+
+#endif
+