From df51a20a9dfa620507aba62e7759dc363d2a8b16 Mon Sep 17 00:00:00 2001
From: Paul Querna <pquerna@apache.org>
Date: Tue, 17 Apr 2012 14:56:09 -0700
Subject: [PATCH 1/2] prevent arbitrary javascript being injected into jsonp
 transport

---
 lib/manager.js                  |    3 ++-
 lib/transports/jsonp-polling.js |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/manager.js b/lib/manager.js
index d136a90..ba19d39 100644
--- a/lib/manager.js
+++ b/lib/manager.js
@@ -712,7 +712,8 @@ Manager.prototype.handleHandshake = function (data, req, res) {
     };
 
   function writeErr (status, message) {
-    if (data.query.jsonp) {
+    var jpre = /^\d+$/;
+    if (data.query.jsonp && jpre.test(data.query.jsonp)) {
       res.writeHead(200, { 'Content-Type': 'application/javascript' });
       res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));');
     } else {
diff --git a/lib/transports/jsonp-polling.js b/lib/transports/jsonp-polling.js
index 83d11b8..ad7d5af 100644
--- a/lib/transports/jsonp-polling.js
+++ b/lib/transports/jsonp-polling.js
@@ -10,6 +10,7 @@
  */
 
 var HTTPPolling = require('./http-polling');
+var jsonpolling_re = /^\d+$/
 
 /**
  * Export the constructor.
@@ -29,7 +30,7 @@ function JSONPPolling (mng, data, req) {
   this.head = 'io.j[0](';
   this.foot = ');';
 
-  if (data.query.i) {
+  if (data.query.i && jsonpolling_re.test(data.query.i)) {
     this.head = 'io.j[' + data.query.i + '](';
   }
 };
-- 
1.7.5.4


From 48fc00662ce4d83127ba4b3cf5c209a446f04343 Mon Sep 17 00:00:00 2001
From: Paul Querna <pquerna@apache.org>
Date: Tue, 17 Apr 2012 15:45:50 -0700
Subject: [PATCH 2/2] fix another instance of the issue

---
 lib/manager.js |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/manager.js b/lib/manager.js
index ba19d39..6121662 100644
--- a/lib/manager.js
+++ b/lib/manager.js
@@ -44,7 +44,8 @@ var defaultTransports = exports.defaultTransports = [
  */
 
 var parent = module.parent.exports
-  , protocol = parent.protocol;
+  , protocol = parent.protocol
+  , jsonpolling_re = /^\d+$/;
 
 /**
  * Manager constructor.
@@ -712,8 +713,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
     };
 
   function writeErr (status, message) {
-    var jpre = /^\d+$/;
-    if (data.query.jsonp && jpre.test(data.query.jsonp)) {
+    if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
       res.writeHead(200, { 'Content-Type': 'application/javascript' });
       res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));');
     } else {
@@ -752,7 +752,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
             , self.transports(data).join(',')
           ].join(':');
 
-      if (data.query.jsonp) {
+      if (data.query.jsonp && jsonpolling_re.test(data.query.jsonp)) {
         hs = 'io.j[' + data.query.jsonp + '](' + JSON.stringify(hs) + ');';
         res.writeHead(200, { 'Content-Type': 'application/javascript' });
       } else {
-- 
1.7.5.4