IETF Logo Mail Archive

Re: [Json] Working Group Last Call on draft-ietf-json-text-sequence

Nico Williams <nico@cryptonector.com> Fri, 23 May 2014 20:45 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CCD1A0056 for <json@ietfa.amsl.com>; Fri, 23 May 2014 13:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZg6D5UWhQOF for <json@ietfa.amsl.com>; Fri, 23 May 2014 13:45:07 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id C0FF51A0052 for <json@ietf.org>; Fri, 23 May 2014 13:45:07 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 2EC2E26C063 for <json@ietf.org>; Fri, 23 May 2014 13:45:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=l8jwG5osv8upKQrBnotD ne9EFXE=; b=D3hCW7nFfPDJw3zlLoNFc2g3Xj4hzY1Lk1viK/pVtACfiq4IP9eV BNR1MKmQ+VlJe9EjwzDc6m7WU6I+qsd8STBRugJNOIgytzbs6p5HkKKnhK172M2p xb/PNihALHQ01kMJTP09hQFZl6lbZjA6+szzFfT78xIFMFyDFZ6UlUo=
Received: from mail-we0-f175.google.com (mail-we0-f175.google.com [74.125.82.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id D3F0B26C05E for <json@ietf.org>; Fri, 23 May 2014 13:45:05 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id t61so5403354wes.34 for <json@ietf.org>; Fri, 23 May 2014 13:45:04 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.77.225 with SMTP id v1mr5366014wiw.5.1400877904474; Fri, 23 May 2014 13:45:04 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Fri, 23 May 2014 13:45:04 -0700 (PDT)
In-Reply-To: <CAHBU6it6agso2L8iFcsxCUWK36ccy8BYcXE+40DQhgXS5LuaKQ@mail.gmail.com>
References: <F6B74FE0-AEBE-43CC-BDE6-BA443BC04F2D@vpnc.org> <CAHBU6itW=UQq=w_wFwYJkZLT2GotUg_J1LGs-Fhcqg_vBd4+6A@mail.gmail.com> <20140523013240.GF15289@mercury.ccil.org> <CAK3OfOg088r=4VMv6PJxb97oJ6ctoUvwgkmGzi58ZkpisjoaoA@mail.gmail.com> <CAHBU6it6agso2L8iFcsxCUWK36ccy8BYcXE+40DQhgXS5LuaKQ@mail.gmail.com>
Date: Fri, 23 May 2014 15:45:04 -0500
Message-ID: <CAK3OfOj55J1xBGjp6X72zzEUj33k3cm-S+MNCvZ4GwJ_LtBDog@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Tim Bray <tbray@textuality.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/json/7kJ8Xd4DgEFiHAv_5LrHMWUPq6k
Cc: John Cowan <cowan@mercury.ccil.org>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF JSON WG <json@ietf.org>
Subject: Re: [Json] Working Group Last Call on draft-ietf-json-text-sequence
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 20:45:09 -0000

On Fri, May 23, 2014 at 12:02 PM, Tim Bray <tbray@textuality.com> wrote:
> Clearly the current language is confusing readers of the spec. So I suggest
> that you be careful to define specialized terms that you are going to use in
> the spec.  An even better solution would be to structure the spec to avoid
> having to bring in this level of implementation idiosyncrasy.
>
> The more I think about the resync-after-error problem, the unhappier I get.
> If the JSON texts in sequences were required to be JSON objects, and
> required to start on new lines, this would be immensely easier for
> implementors.

That is not sufficient.  Consider this text:

{ "foo":
{ "bar":"baz" }
}

Clearly looking only for LF '{' is insufficient.

The text describes how to ensure that resynchronization can be done safely.

First, it says that "writers SHOULD validate (parse) any untrusted
JSON text inputs".  Then it gives two methods that, together with
validation, make resynchronization possible.

One method is to remove all newlines from JSON texts (a trivial
operation, see below) prior to writing them to the log file.  Then the
only boundary that matters is newlines, and that's very easy to search
for reliably.

The other method is to prefix every text with another text consisting
of something like 'null' (or 'true', or any value which will by
convention have no meaning other than as a resynchronization helper).
Also a trivial operation.

(Note that because newlines in strings must always be escaped, then
only newlines interior to any JSON text are... superfluous whitespace
that can be safely removed without having to parse and re-encode the
JSON text.)

Most attacks on loggers are easily thwarted by checking that any JSON
text to be logged is valid.  This leaves only one attack vector:
forcing a write by the logger to fail after starting -- this is a
non-trivial attack to mount, and it is trivially defeated by either
removing internal newlines from texts prior to writing them, or by
prefixing them with a meaningless-by-convention text (e.g., 'null').

Nico
--

v2.23.0 | Report a Bug | By Email