Require security token when calling CallbackServer via XHR.

framework/assets/js/phonegap.js.base

@@ -578,6 +578,9 @@ PhoneGap.run_command = function() {
 
 };
 
+PhoneGap.JSCallbackPort = CallbackServer.getPort();
+PhoneGap.JSCallbackToken = CallbackServer.getToken();
+
 /**
  * This is only for Android.
  *
@@ -623,7 +626,7 @@ PhoneGap.JSCallback = function() {
         }
     }
 
-    xmlhttp.open("GET", "http://127.0.0.1:"+CallbackServer.getPort()+"/" , true);
+    xmlhttp.open("GET", "http://127.0.0.1:"+PhoneGap.JSCallbackPort+"/"+PhoneGap.JSCallbackToken , true);
     xmlhttp.send();
 };
 

framework/src/com/phonegap/CallbackServer.java

@@ -71,6 +71,11 @@ public class CallbackServer implements Runnable {
 	 */
 	private boolean usePolling;
 	
+	/**
+	 * Security token to prevent other apps from accessing this callback server via XHR
+	 */
+	private String token;
+	
 	/**
 	 * Constructor.
 	 */
@@ -108,6 +113,15 @@ public class CallbackServer implements Runnable {
 		return this.port;
 	}
 	
+	/**
+	 * Get the security token that this server requires when calling getJavascript().
+	 * 
+	 * @return
+	 */
+	public String getToken() {
+		return this.token;
+	}
+	
 	/**
 	 * Start the server on a new thread.
 	 */
@@ -145,6 +159,8 @@ public class CallbackServer implements Runnable {
 			ServerSocket waitSocket = new ServerSocket(0);
 			this.port = waitSocket.getLocalPort();
 			//System.out.println(" -- using port " +this.port);
+			this.token = java.util.UUID.randomUUID().toString();
+			//System.out.println(" -- using token "+this.token);
 
 			 while (this.active) {
 				 //System.out.println("CallbackServer: Waiting for data on socket");
@@ -153,36 +169,39 @@ public class CallbackServer implements Runnable {
 				 DataOutputStream output = new DataOutputStream(connection.getOutputStream());
 				 request = xhrReader.readLine();
 				 //System.out.println("Request="+request);
-				 if(request.contains("GET"))
+				 if (request.contains("GET")) {
-				 {
+
-					 //System.out.println(" -- Processing GET request");
+					 // Must have security token
-					 
+					 if (request.substring(5,41).equals(this.token)) {
-					 // Wait until there is some data to send, or send empty data every 30 sec 
+						 //System.out.println(" -- Processing GET request");
-					 // to prevent XHR timeout on the client 
+
-					 synchronized (this) { 
+						 // Wait until there is some data to send, or send empty data every 30 sec 
-						 while (this.empty) { 
+						 // to prevent XHR timeout on the client 
-							 try { 
+						 synchronized (this) { 
-								 this.wait(30000); // prevent timeout from happening
+							 while (this.empty) { 
-								 //System.out.println(">>> break <<<");
+								 try { 
-								 break;
+									 this.wait(30000); // prevent timeout from happening
+									 //System.out.println(">>> break <<<");
+									 break;
+								 } 
+								 catch (Exception e) { }
 							 } 
-							 catch (Exception e) { }
+						 }
-						 } 
+
+						 // If server is still running
+						 if (this.active) {
+
+							 // If no data, then send 404 back to client before it times out
+							 if (this.empty) {
+								 //System.out.println(" -- sending data 0");
+								 output.writeBytes("HTTP/1.1 404 NO DATA\r\n\r\n");
+							 }
+							 else {
+								 //System.out.println(" -- sending item");
+								 output.writeBytes("HTTP/1.1 200 OK\r\n\r\n"+this.getJavascript());
+							 }
+						 }
 					 }
-					 
-					 // If server is still running
-					 if (this.active) {
-					
-						 // If no data, then send 404 back to client before it times out
-						 if (this.empty) {
-							 //System.out.println(" -- sending data 0");
-							 output.writeBytes("HTTP/1.1 404 NO DATA\r\n\r\n");
-						 }
-						 else {
-							 //System.out.println(" -- sending item");
-							 output.writeBytes("HTTP/1.1 200 OK\r\n\r\n"+this.getJavascript());
-						 }
-					 }					 
 				 }
 				 //System.out.println("CallbackServer: closing output");
 				 output.close();