IETF Logo Mail Archive

Re: [Json] Security considerations

"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Mon, 07 October 2013 07:31 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4253721E817A for <json@ietfa.amsl.com>; Mon, 7 Oct 2013 00:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.123
X-Spam-Level:
X-Spam-Status: No, score=-103.123 tagged_above=-999 required=5 tests=[AWL=0.667, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUGjrfR7Oi31 for <json@ietfa.amsl.com>; Mon, 7 Oct 2013 00:31:27 -0700 (PDT)
Received: from scintmta02.scbb.aoyama.ac.jp (scintmta02.scbb.aoyama.ac.jp [133.2.253.34]) by ietfa.amsl.com (Postfix) with ESMTP id 9E37121E8171 for <json@ietf.org>; Mon, 7 Oct 2013 00:31:26 -0700 (PDT)
Received: from scmse02.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta02.scbb.aoyama.ac.jp (secret/secret) with SMTP id r977VLV0018902; Mon, 7 Oct 2013 16:31:21 +0900
Received: from (unknown [133.2.206.134]) by scmse02.scbb.aoyama.ac.jp with smtp id 6912_bfca_7681cf20_2f22_11e3_9aa0_001e6722eec2; Mon, 07 Oct 2013 16:31:20 +0900
Received: from [IPv6:::1] (unknown [133.2.210.1]) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id C7F05BFF7E; Mon, 7 Oct 2013 16:31:20 +0900 (JST)
Message-ID: <5252633E.70000@it.aoyama.ac.jp>
Date: Mon, 07 Oct 2013 16:31:10 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: Tim Bray <tbray@textuality.com>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com> <20131007014220.GR7224@mercury.ccil.org> <FCDBFB26-BABB-4D49-A464-BBD68C7FE3B3@vpnc.org> <CAHBU6isVgBXS=LG6CPgn2-tus5HTgkYoaDc2t8FPsWLBs2BFgA@mail.gmail.com> <8DD26019-C037-4E66-ADD8-AE01832E5EE1@vpnc.org> <CAHBU6iup96di+EQ4uUV-s2EhDbh1tmerZYF10nbOCxNz3enZNw@mail.gmail.com>
In-Reply-To: <CAHBU6iup96di+EQ4uUV-s2EhDbh1tmerZYF10nbOCxNz3enZNw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Cc: John Cowan <cowan@mercury.ccil.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 07:31:33 -0000

I think it would be good to say something like "There are regular 
expressions floating around with the claims that they can pre-check a 
JSON text and make it safe to pass it to eval() and friends, but none of 
these are actually work."

I think it would be a bad idea to say something like "Here is a regular 
expression which almost works."

Regards,    Martin.


Off-topic:

I think that the regular expression engine in Ruby 1.9 (Oniguruma) comes 
with features that allow the creation of a Regexp object that would do 
the full job. That's because these regular expressions essentially are 
powered up to reach the level of context-free languages.

Of course, from a viewpoint of formal language theory, they don't 
deserve to be called regular expressions anymore, but then this applies 
to virtually all of the "regular expression" implementations in today's 
languages and libraries.

On 2013/10/07 13:09, Tim Bray wrote:
> What is the argument against including a conventional warning against a
> plausible-but-dangerous practice?  The only one I can think of is “everyone
> already knows that” which doesn’t seem very strong to me.
>
>
> On Sun, Oct 6, 2013 at 8:19 PM, Paul Hoffman<paul.hoffman@vpnc.org>  wrote:
>
>> On Oct 6, 2013, at 8:18 PM, Tim Bray<tbray@textuality.com>  wrote:
>>
>>> You mean will not cover might-make-you-safe regex, or will not warn of
>> the dangers of eval()?
>>
>> Correct.
>>
>> --Paul HOffman
>> _______________________________________________
>> json mailing list
>> json@ietf.org
>> https://www.ietf.org/mailman/listinfo/json
>>
>
>
>
> _______________________________________________
> json mailing list
> json@ietf.org
> https://www.ietf.org/mailman/listinfo/json

v2.23.0 | Report a Bug | By Email