diff --git a/trunk/configure b/trunk/configure
index b6ab2f1378..5b62e06318 100755
--- a/trunk/configure
+++ b/trunk/configure
@@ -464,7 +464,7 @@ if [[ $SRS_UTEST == YES ]]; then
MODULE_FILES=("srs_utest" "srs_utest_amf0" "srs_utest_kernel" "srs_utest_core"
"srs_utest_config" "srs_utest_rtmp" "srs_utest_http" "srs_utest_avc" "srs_utest_reload"
"srs_utest_mp4" "srs_utest_service" "srs_utest_app" "srs_utest_rtc" "srs_utest_config2"
- "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2")
+ "srs_utest_protocol" "srs_utest_protocol2" "srs_utest_kernel2" "srs_utest_protocol3")
if [[ $SRS_SRT == YES ]]; then
MODULE_FILES+=("srs_utest_srt")
fi
diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md
index 9adfa7386b..62f182d7bf 100644
--- a/trunk/doc/CHANGELOG.md
+++ b/trunk/doc/CHANGELOG.md
@@ -7,6 +7,7 @@ The changelog for SRS.
## SRS 5.0 Changelog
+* v5.0, 2024-03-26, Filter JSONP callback function name. v5.0.210
* v5.0, 2024-03-19, Merge [#3990](https://github.com/ossrs/srs/pull/3990): System: Disable feature that obtains versions and check features status. v5.0.209 (#3990)
* v5.0, 2024-02-06, Merge [#3920](https://github.com/ossrs/srs/pull/3920): WHIP: Fix bug for converting WHIP to RTMP/HLS. v5.0.208 (#3920)
* v5.0, 2024-02-05, Merge [#3925](https://github.com/ossrs/srs/pull/3925): RTC: Fix video and audio track pt_ is not change in player before publisher. v5.0.207 (#3925)
diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp
index 0c81a094ac..bcea35f740 100644
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@@ -9,6 +9,6 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 0
-#define VERSION_REVISION 209
+#define VERSION_REVISION 210
#endif
diff --git a/trunk/src/kernel/srs_kernel_error.hpp b/trunk/src/kernel/srs_kernel_error.hpp
index 988be0d8b3..26caa7b843 100644
--- a/trunk/src/kernel/srs_kernel_error.hpp
+++ b/trunk/src/kernel/srs_kernel_error.hpp
@@ -323,6 +323,7 @@
XX(ERROR_GB_SSRC_GENERATE , 4051, "GbSsrcGenerate", "Failed to generate SSRC for GB28181") \
XX(ERROR_GB_CONFIG , 4052, "GbConfig", "Invalid configuration for GB28181") \
XX(ERROR_GB_TIMEOUT , 4053, "GbTimeout", "SIP or media connection timeout for GB28181") \
+ XX(ERROR_HTTP_JSONP , 4058, "HttpJsonp", "Invalid callback for JSONP")
/**************************************************/
/* RTC protocol error. */
diff --git a/trunk/src/protocol/srs_protocol_http_conn.cpp b/trunk/src/protocol/srs_protocol_http_conn.cpp
index da15ee169d..611fbc7938 100644
--- a/trunk/src/protocol/srs_protocol_http_conn.cpp
+++ b/trunk/src/protocol/srs_protocol_http_conn.cpp
@@ -332,6 +332,20 @@ void SrsHttpMessage::set_header(SrsHttpHeader* header, bool keep_alive)
}
}
+// For callback function name, only allow [a-zA-Z0-9_-.] characters.
+bool srs_is_valid_jsonp_callback(std::string callback)
+{
+ for (int i = 0; i < (int)callback.length(); i++) {
+ char ch = callback.at(i);
+ bool is_alpha_beta = (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z');
+ bool is_number = (ch >= '0' && ch <= '9');
+ if (!is_alpha_beta && !is_number && ch != '.' && ch != '_' && ch != '-') {
+ return false;
+ }
+ }
+ return true;
+}
+
srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
{
srs_error_t err = srs_success;
@@ -373,12 +387,16 @@ srs_error_t SrsHttpMessage::set_url(string url, bool allow_jsonp)
// parse jsonp request message.
if (allow_jsonp) {
- if (!query_get("callback").empty()) {
- jsonp = true;
- }
+ string callback= query_get("callback");
+ jsonp = !callback.empty();
+
if (jsonp) {
jsonp_method = query_get("method");
}
+
+ if (!srs_is_valid_jsonp_callback(callback)) {
+ return srs_error_new(ERROR_HTTP_JSONP, "invalid callback=%s", callback.c_str());
+ }
}
return err;
diff --git a/trunk/src/utest/srs_utest_protocol3.cpp b/trunk/src/utest/srs_utest_protocol3.cpp
new file mode 100644
index 0000000000..a86e1aa9f6
--- /dev/null
+++ b/trunk/src/utest/srs_utest_protocol3.cpp
@@ -0,0 +1,39 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+#include
+
+using namespace std;
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+extern bool srs_is_valid_jsonp_callback(std::string callback);
+
+VOID TEST(ProtocolHttpTest, JsonpCallbackName)
+{
+ EXPECT_TRUE(srs_is_valid_jsonp_callback(""));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("callback"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback-1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback_1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback.1234567890"));
+ EXPECT_TRUE(srs_is_valid_jsonp_callback("Callback1234567890-_."));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback()//"));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback!"));
+ EXPECT_FALSE(srs_is_valid_jsonp_callback("callback;"));
+}
+
diff --git a/trunk/src/utest/srs_utest_protocol3.hpp b/trunk/src/utest/srs_utest_protocol3.hpp
new file mode 100644
index 0000000000..d0fa6f8a57
--- /dev/null
+++ b/trunk/src/utest/srs_utest_protocol3.hpp
@@ -0,0 +1,16 @@
+//
+// Copyright (c) 2013-2024 The SRS Authors
+//
+// SPDX-License-Identifier: MIT
+//
+
+#ifndef SRS_UTEST_PROTOCOL3_HPP
+#define SRS_UTEST_PROTOCOL3_HPP
+
+/*
+#include
+*/
+#include
+
+#endif
+