IETF Logo Mail Archive

Re: [apps-discuss] Guidance on RFC 4627 as reference

James M Snell <jasnell@gmail.com> Thu, 20 September 2012 17:51 UTC

Return-Path: <jasnell@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0006F21F8780 for <apps-discuss@ietfa.amsl.com>; Thu, 20 Sep 2012 10:51:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.419
X-Spam-Level:
X-Spam-Status: No, score=-3.419 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nl544Wz7KuOW for <apps-discuss@ietfa.amsl.com>; Thu, 20 Sep 2012 10:51:51 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id F12C921F8512 for <apps-discuss@ietf.org>; Thu, 20 Sep 2012 10:51:50 -0700 (PDT)
Received: by weyx48 with SMTP id x48so1555268wey.31 for <apps-discuss@ietf.org>; Thu, 20 Sep 2012 10:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=IHKJw1lyIBm2/XV1NxcS95XYtKovqlT5hiSWYF1w6Lc=; b=iVl8zPvSQGHIY9gQ5Pw5j8sFFnvpelvB/ZmwQrX3tC4f3KZePXEFXcegX3qC94JBBS j7NAdu58AAn8OZzVAs51UYbF1mKt9uOQuBy5FJhrSPcz3/hltZQKgMeD+1WqvMKcW+K3 KQnZ+4PRqw4fx+FezAdHP9iPjsONzvEj82f85D1uZ06f6PFun+75RjpUk+IGo/P8RRMi 8ktwaphI6t3RKN3oh5eGh55TzI/uPsujS0iHsj3a+W6g0b7T+X5brC6/4PndyYSvHAaB XB4LGGg+TVHeNI04HcYH6kb88YPmUOwY47d6/omcLvMrNo6V8qHsFp9odHPXjkKCTXj+ r5Gw==
Received: by 10.180.91.163 with SMTP id cf3mr5930866wib.13.1348163509836; Thu, 20 Sep 2012 10:51:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.182.4 with HTTP; Thu, 20 Sep 2012 10:51:29 -0700 (PDT)
In-Reply-To: <0B281559-CD98-400D-A21B-AC13F75C9552@vpnc.org>
References: <CAAQiQRfcdFJ+8_DYnA+tMMu+U3Y7XnEeXszQDRGa4t6KYuokLA@mail.gmail.com> <CAMm+Lwj0GavjVq6YBBhBAA9tDbDF5K6mQZ4bTSzPmeTzs05xfA@mail.gmail.com> <CAC4RtVC5RMj_Z_kdcur47m9Tt7jPSTdeChaBozL94-wdxZ-DqA@mail.gmail.com> <6DFD8A55-B432-49D1-AD54-D0D62829ABE2@vpnc.org> <BE61A6FD053C0C293DB7A2C7@JcK-HP8200.jck.com> <D240809F-0512-40EA-BB5E-EBA83928C48B@vpnc.org> <CAMm+Lwi=mcaGJPtdsKSkNMmi+ZpWNV2aOi0ji4ziQHTpxS3oHg@mail.gmail.com> <7328D528-7915-4675-8067-DD23373F8DFB@vpnc.org> <01OKH096DL180006TF@mauve.mrochek.com> <0B281559-CD98-400D-A21B-AC13F75C9552@vpnc.org>
From: James M Snell <jasnell@gmail.com>
Date: Thu, 20 Sep 2012 10:51:29 -0700
Message-ID: <CABP7RbexFLSjtuyroDbY-DE8FwBd+XY9XHP0Y4smLnuXKA_-9A@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="f46d0438956f1a5b4d04ca25c730"
Cc: Ned Freed <ned.freed@mrochek.com>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Guidance on RFC 4627 as reference
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 17:51:52 -0000

I believe the specific concern for JSON is that, in many environments --
especially browsers -- JSON is often parsed using the JavaScript eval
function, which allows for the execution of arbitrary JavaScript code.
While the JSON specification itself restricts the syntax to non-executable
data, a malicious party could intentionally construct an invalid-JSON
object such that arbitrary code is executed within the browser. This
particular concern is unique for JavaScript relative to other formats (XML,
HTML) and really ought be addressed within the security considerations of
rfc4627. Specifically, implementors need to be warned against passing
unvalidated JSON to the eval function.

On Thu, Sep 20, 2012 at 8:52 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> [snip]
>
> > But more generally, while you can of course invent
> > uses for pretty much any format imagineable that require integrity (or
> > confidentiality) protection, there are formats which are designed for
> > destributing public information and which do not involve active or
> executable
> > content or pointers to other stuff. In such cases there really are no
> integrity
> > concerns worth talking about.
>
>
> Errr, right. Are you saying JSON involves active or executable content? Or
> pointers to other stuff? If so, I agree that those are security
> considerations. I'm not seeing it in the JSON definition, however. What am
> I missing?
>
> --Paul Hoffman
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>

v2.23.0 | Report a Bug | By Email