Re: [Json] Proposed minimal change for duplicate names in objects

Bjoern Hoehrmann <derhoermi@gmx.net> Sun, 07 July 2013 18:57 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7DD11E80FF for <json@ietfa.amsl.com>; Sun, 7 Jul 2013 11:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfKWwWws8BKx for <json@ietfa.amsl.com>; Sun, 7 Jul 2013 11:57:39 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id B8B1211E80EE for <json@ietf.org>; Sun, 7 Jul 2013 11:57:38 -0700 (PDT)
Received: from =?utf-8?q?netb.Speedport=5fW=5f700V?= ([91.35.43.58]) by mail.gmx.com (mrgmx101) with ESMTPA (Nemesis) id 0MXDo1-1UjYMw1nuf-00WJ9y; Sun, 07 Jul 2013 20:57:35 +0200
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Tatu Saloranta <tsaloranta@gmail.com>
Date: Sun, 07 Jul 2013 20:57:34 +0200
Message-ID: <7adjt8hkf0lrirnloid2nnvg3ad2i7070k@hive.bjoern.hoehrmann.de>
References: <CAHBU6itdi3B1rWv2TiOYhL1QuOVxrFKt7OTWRoG+6TgV8Bc_uw@mail.gmail.com> <CAK3OfOgOYA5fas0oomF5amjP1bR5F=0+uve7mFD4=FMoEV7sWg@mail.gmail.com> <CAGrxA24y4D62XY-YnbDvKVwNKUickcEFxv1FUhc_yqG4KP-m-w@mail.gmail.com> <CAHBU6iuWLcXv0QKR=Ow8gkzoZLmoZjqYCqXDXR8FLVb7w7M2Tw@mail.gmail.com> <CAK3OfOic41TWGhVJFwv1o64GarZhM0mqoF1TBruJ9OkCQbqijA@mail.gmail.com> <CAGrxA257rS4Q=HH2GEvU6Skqk_pqD-hxVAekzfGUQ8XKfE2QcQ@mail.gmail.com>
In-Reply-To: <CAGrxA257rS4Q=HH2GEvU6Skqk_pqD-hxVAekzfGUQ8XKfE2QcQ@mail.gmail.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:Ky/PiU48/21esQcaWKTXCIe8EI/RdlY8gJjsljWsSbOX4Ss2uRC zAf0xi07SdC580hu/lt4Kj3X8U8707Cib5XLRUCGZ4S19vuRnGV3KnIhOaG9zhorSJdmAXC tkd2Jmui3G+q1+Hy5THlx05CVkH8ITayf451cNnFp/chNDQUwgR5iHwtVpKXDwc+kdKoaaa AjFZgPZOILY4+2ZimU+mA==
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Proposed minimal change for duplicate names in objects
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2013 18:57:43 -0000

* Tatu Saloranta wrote:
>If this aspect was lost due to clarification for solving a problem that has
>more to do with concerns for _possible_ security issues, that would be sad.
>
>End users rarely have real need for minimal-state parsing. It is
>framework-builders -- such as, say Solr, Elastic Search, Hadoop, JAX-RS
>implementations (these for Java, similar for other platforms) -- that care
>as performance implications there have more effect. And they are the ones
>that have legitimate use for minimal-state components.

Note that the performance implications can easily become security impli-
cations. A naive implementation of checking for duplicates may well be
vulnerable to algorithmic complexity attacks causing denial of service
(by using maliciously crafted input that exhibits worst-case behavior).

http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html for in-
stance surprisingly showed that many common environments had failed to
pay attention when the problem was addressed in Perl eight years prior.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/