IETF Logo Mail Archive

Re: [apps-discuss] Guidance on RFC 4627 as reference

Julian Reschke <julian.reschke@gmx.de> Thu, 20 September 2012 20:10 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6979A21E805F for <apps-discuss@ietfa.amsl.com>; Thu, 20 Sep 2012 13:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.866
X-Spam-Level:
X-Spam-Status: No, score=-103.866 tagged_above=-999 required=5 tests=[AWL=-1.267, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOKsaXAIHchy for <apps-discuss@ietfa.amsl.com>; Thu, 20 Sep 2012 13:10:06 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 508AE21E804B for <apps-discuss@ietf.org>; Thu, 20 Sep 2012 13:10:00 -0700 (PDT)
Received: (qmail invoked by alias); 20 Sep 2012 20:09:58 -0000
Received: from p5DD95893.dip.t-dialin.net (EHLO [192.168.178.36]) [93.217.88.147] by mail.gmx.net (mp017) with SMTP; 20 Sep 2012 22:09:58 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+eJtZIbTeeRn6cJ4yl595GqK7T5kiCN/IVRUdrl6 hO6JCx++syCqci
Message-ID: <505B7812.30702@gmx.de>
Date: Thu, 20 Sep 2012 22:09:54 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <CAAQiQRfcdFJ+8_DYnA+tMMu+U3Y7XnEeXszQDRGa4t6KYuokLA@mail.gmail.com> <CAMm+Lwj0GavjVq6YBBhBAA9tDbDF5K6mQZ4bTSzPmeTzs05xfA@mail.gmail.com> <CAC4RtVC5RMj_Z_kdcur47m9Tt7jPSTdeChaBozL94-wdxZ-DqA@mail.gmail.com> <6DFD8A55-B432-49D1-AD54-D0D62829ABE2@vpnc.org> <BE61A6FD053C0C293DB7A2C7@JcK-HP8200.jck.com> <D240809F-0512-40EA-BB5E-EBA83928C48B@vpnc.org> <CAMm+Lwi=mcaGJPtdsKSkNMmi+ZpWNV2aOi0ji4ziQHTpxS3oHg@mail.gmail.com> <7328D528-7915-4675-8067-DD23373F8DFB@vpnc.org> <01OKH096DL180006TF@mauve.mrochek.com> <0B281559-CD98-400D-A21B-AC13F75C9552@vpnc.org> <01OKH59WL0SW0006TF@mauve.mrochek.com> <505B5922.5020704@gmx.de> <CAMm+Lwj=W1T=CjnT8JXR841Vk6tkuAa9rjXcKWMDSB3e4mxNLQ@mail.gmail.com> <505B5C7B.1010005@gmx.de> <CAMm+LwjUzJQUQp1P7+_jvtcG3bPTfx8LF_6r2=gWvmYme6qvsA@mail.gmail.com>
In-Reply-To: <CAMm+LwjUzJQUQp1P7+_jvtcG3bPTfx8LF_6r2=gWvmYme6qvsA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Ned Freed <ned.freed@mrochek.com>, Paul Hoffman <paul.hoffman@vpnc.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Guidance on RFC 4627 as reference
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 20:10:07 -0000

On 2012-09-20 20:44, Phillip Hallam-Baker wrote:
> The issue here that the RFC seems to hint at (the language is next to
> meaningless) is that JSON does not provide the types of integrity
> checking that should be used if you are using it to wrap something like
> SQL commands or other data to be passed to a scripting language.
> ...

WHICH language?

As far as I can tell, the spec describes how to pass names strings, 
numbers and boolean around. It doesn't care at all what you put into 
strings (and it shouldn't).

> There are encodings that are explicitly designed to make that type of
> use safe and there are ways of applying JSON that can make it safe but
> JSON does not provide an automatic check.

Automatic checks of what? Strings are strings are strings. What do you 
want to check?

> If that is not the issue that the SC section is trying to explain then
> lets have someone else try to explain what the SC in the media type
> registration means.

It says:

>    Generally there are security issues with scripting languages.  JSON
>    is a subset of JavaScript, but it is a safe subset that excludes
>    assignment and invocation.

That sounds pretty clear to me.

>    A JSON text can be safely passed into JavaScript's eval() function
>    (which compiles and executes a string) if all the characters not
>    enclosed in strings are in the set of characters that form JSON
>    tokens.  This can be quickly determined in JavaScript with two
>    regular expressions and calls to the test and replace methods.
>
>       var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
>              text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
>          eval('(' + text + ')');

These are instructions how to prevent a a Javascript code injection in 
case you choose to use the JS eval() function to parse the JSON.

Best regards, Julian

v2.23.0 | Report a Bug | By Email