• Your recent searches
Amon2
2 results

 view release on metacpan or  search on metacpan

lib/Amon2/Plugin/Web/JSON.pm  view on Meta::CPAN 

            my ($c, $stuff) = @_;

            # for IE7 JSON venularity.
            # see http://www.atmarkit.co.jp/fcoding/articles/webapp/05/webapp05a.html
            my $output = $_JSON->canonical( $conf->{canonical} ? 1 : 0 )->encode($stuff);
            $output =~ s!([+<>])!$_ESCAPE{$1}!g;

            my $user_agent = $c->req->user_agent || '';

            # defense from JSON hijacking
            if ((!$c->request->header('X-Requested-With')) && $user_agent =~ /android/i && defined $c->req->header('Cookie') && ($c->req->method||'GET') eq 'GET') {
                my $res = $c->create_response(403);
                $res->content_type('text/html; charset=utf-8');
                $res->content("Your request may be JSON hijacking.\nIf you are not an attacker, please add 'X-Requested-With' header to each request.");
                $res->content_length(length $res->content);
                return $res;
            }

            my $res = $c->create_response(200);

            my $encoding = $c->encoding();

lib/Amon2/Plugin/Web/JSON.pm  view on Meta::CPAN 

Latest browsers doesn't have a JSON hijacking issue(I hope). __defineSetter__ or UTF-7 attack was resolved by browsers.

But Firefox<=3.0.x and Android phones have issue on Array constructor, see L<http://d.hatena.ne.jp/ockeghem/20110907/p1>.

Firefox<=3.0.x was outdated. Web application developers doesn't need to add work-around for it, see L<http://en.wikipedia.org/wiki/Firefox#Version_release_table>.

L<Amon2::Plugin::Web::JSON> have a JSON hijacking detection feature. Amon2::Plugin::Web::JSON returns "403 Forbidden" response if following pattern request.

=over 4

=item The request have 'Cookie' header.

=item The request doesn't have 'X-Requested-With' header.

=item The request contains /android/i string in 'User-Agent' header.

=item Request method is 'GET'

=back

=back

share/flavor/Basic/t/04_csrf.t  view on Meta::CPAN 

test_psgi
    app => $app,
    client => sub {
        my $cb = shift;
        my %cookies;

        my $request = sub {
            my ($req) = @_;
            if (%cookies) {
                my $cookie = join '; ', map { "$_=$cookies{$_}" } sort keys %cookies;
                $req->header('Cookie' => $cookie);
            }

            my $res = $cb->($req);
            for my $set_cookie ($res->headers->header('Set-Cookie')) {
                my ($pair) = split /;/, $set_cookie, 2;
                my ($name, $value) = split /=/, $pair, 2;
                next unless defined $name && defined $value;
                $cookies{$name} = $value;
            }
            return $res;
        };

        my $get_res = $request->(GET 'http://localhost/__csrf_probe__');
        is $get_res->code, 404, 'GET probe path returns 404';



( run in 1.979 second using v1.01-cache-2.11-cpan-39bf76dae61 )