From 99cca27041e9f861afc43ef58cbaabf86ad00743 Mon Sep 17 00:00:00 2001
From: Rachel Baker <rachel@rachelbaker.me>
Date: Mon, 6 Jun 2016 21:34:28 +0000
Subject: [PATCH] REST API: Create the general `wp_check_jsonp_callback()`
 function for validating JSONP callback functions.

Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.
Built from https://develop.svn.wordpress.org/trunk@37646


git-svn-id: http://core.svn.wordpress.org/trunk@37612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/functions.php                     | 22 +++++++++++++++++++
 wp-includes/rest-api/class-wp-rest-server.php | 10 ++-------
 wp-includes/version.php                       |  2 +-
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 4337b10914..cec338693e 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -3104,6 +3104,28 @@ function wp_send_json_error( $data = null ) {
 	wp_send_json( $response );
 }
 
+/**
+ * Check that a JSONP callback is a valid JavaScript callback.
+ *
+ * Only allows alphanumeric characters and the dot character in callback
+ * function names. This helps to mitigate XSS attacks caused by directly
+ * outputting user input.
+ *
+ * @since 4.6.0
+ *
+ * @param string $callback Supplied JSONP callback function.
+ * @return bool True if valid callback, otherwise false.
+ */
+function wp_check_jsonp_callback( $callback ) {
+	if ( ! is_string( $callback ) ) {
+		return false;
+	}
+
+	$jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count );
+
+	return 0 === $illegal_char_count;
+}
+
 /**
  * Retrieve the WordPress home page URL.
  *
diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php
index 43644b0158..6febebe34d 100644
--- a/wp-includes/rest-api/class-wp-rest-server.php
+++ b/wp-includes/rest-api/class-wp-rest-server.php
@@ -280,14 +280,8 @@ class WP_REST_Server {
 				return false;
 			}
 
-			// Check for invalid characters (only alphanumeric allowed).
-			if ( is_string( $_GET['_jsonp'] ) ) {
-				$jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
-				if ( 0 !== $illegal_char_count ) {
-					$jsonp_callback = null;
-				}
-			}
-			if ( null === $jsonp_callback ) {
+			$jsonp_callback = $_GET['_jsonp'];
+			if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
 				echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
 				return false;
 			}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 566b4e88f9..f5dd451411 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.6-alpha-37645';
+$wp_version = '4.6-alpha-37646';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.