szquadri / gitiles

Automatically exported from code.google.com/p/gitiles
0 stars 0 forks source link

Bad JSON output #90

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The JSON output for every link I've tried under 
https://chromium.googlesource.com/breakpad/breakpad/+/master is bad:
$ curl 
"https://chromium.googlesource.com/breakpad/breakpad/+/master?format=JSON"
)]}'
{
  "commit": "86d5e9e7f94a9cc90c9fe90584d7c8eda6057d17",
  "tree": "1dca71600fec8c736164fdc9f5033c1bac1d8924",
<...>

Note the first line in the output, I have no idea what's going on there.

Original issue reported on code.google.com by ted.mielczarek on 2 Dec 2015 at 6:57

GoogleCodeExporter commented 8 years ago
This is intentional, the first line is a cross site scripting protection to 
prevent external sites from slurping the output of a private site based on user 
cookies.

So WAI.

If you want to parse this JSON, you need to strip the first line before handing 
over to a JSON parser.

Original comment by sop@google.com on 3 Dec 2015 at 12:39

GoogleCodeExporter commented 8 years ago
I'm a little confused--what attack vector are you trying to close here, the 
"malicious site loads JSON URL as a script"? I don't think that's ever been 
exploitable if you're returning an object at the top-level of the JSON:
http://flask.pocoo.org/docs/0.10/security/#json-security

Original comment by tmielcza...@mozilla.com on 3 Dec 2015 at 11:53