Re: [apps-discuss] Review of draft-ietf-appsawg-json-pointer

[Mark Nottingham <mnot@mnot.net>]

In SVN.

On 16/11/2012, at 3:50 PM, "Manger, James H" <James.H.Manger@team.telstra.com> wrote:

>>> The issue with NUL is that you need to be careful not to misinterpret
>> it as an end-of-string marker. How about:
>>> 
>>>  Note that JSON pointers can contain the NUL (Unicode U+0000)
>>>  character. Care is needed not to misinterpret this character
>>>  in programming languages that use NUL to mark the end of a string.
> 
>> In Security Considerations?
> 
> Yes. Treating NUL as end-of-string is more of a security issue than not being able represent some characters.
> 
> Bad guys stuck NULs in domain name fields in certificates (eg paypal.com<NUL>www.badguy.net). One party treats it as a (harmless) subdomain of badguy.net; another party is fooled into believing it is for paypal.com. Result: security failure.
> 
> Consider the pointer "/readonly\u0000abc" in a patch {"op":"remove", "path":"/readonly\u0000abc"} applied to a doc {"readonly":"MUST NOT BE TOUCHED", "anyone":"can change anything else"}. A security layer that properly handles NUL will allow the patch through; but a subsequent processor that isn't careful about NUL might treat the pointer as "/readonly" and disaster results.
> 
> 
> About the only other security consideration I can think of is checking that an array index does not overflow a programs representation (eg don’t treat "/4294967297" as "/1", throw an error if necessary).
> 
> --
> James Manger

--
Mark Nottingham   http://www.mnot.net/