Re: [Json] Security considerations
Nico Williams <nico@cryptonector.com> Mon, 07 October 2013 02:03 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4FF21E8124 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.95
X-Spam-Level:
X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1jMiAo9vG380 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:03:53 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 2D84C21E811F for <json@ietf.org>; Sun, 6 Oct 2013 19:03:50 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTP id E899C1DE060 for <json@ietf.org>; Sun, 6 Oct 2013 19:03:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=GGi96vz65iSkk+ddoIKV x5W8hII=; b=wkxOuUfzg2010c+1Z9hGdTLWyJPjP+HUvFHJtb7k5ZPNQsVjKIar YjD07kIM5Q5CtkNk7ooAf+0Y4/+5f+TsLK/vd70qJ7dzF2iBsxOivzCGVU176PEj tnE/mH8TmViIQfKMZu7R+Q73+m+shxf6GO5TtAR+Bi+R2J1vOfKCgOw=
Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTPSA id 904541DE059 for <json@ietf.org>; Sun, 6 Oct 2013 19:03:49 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id w62so4388318wes.7 for <json@ietf.org>; Sun, 06 Oct 2013 19:03:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/e8TJq6ZUtksY8xuZjGu78iBEazp8Fry3tpqBvxUQ+I=; b=UIE+zlbmPPHKmslehc1YH8yFRzAfTonsCdL7G5UvzsZjkW6aqWLIlicna4OvRWJj9F NjQfYE61+VIxB3bf3bJbp5Su9xSMtQANjbaRRHRdVxns0pAJWzVZoQkdop2PgXR1UlTx JaNr5SrnBEBLARlxLgTIxV7qHRt8pg05R5vMH4OQN+H1Yjae7VJZhs5hXI61faQ9G9aD BAtlq8X762CYaae1NdJmrHjm0SJi1u+7V1RkbScEBV2ErmcQlNWrq4TJtEfIlrk2eG8M ls3nkHijzq9zqy7or/Vz9QNS5bjfKzqyZi9WtPBRwCccm18lNrghAeXWxF+u7tIZijTo KQcQ==
MIME-Version: 1.0
X-Received: by 10.180.198.79 with SMTP id ja15mr16993022wic.36.1381111427841; Sun, 06 Oct 2013 19:03:47 -0700 (PDT)
Received: by 10.216.165.5 with HTTP; Sun, 6 Oct 2013 19:03:47 -0700 (PDT)
In-Reply-To: <20131007014220.GR7224@mercury.ccil.org>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com> <20131007014220.GR7224@mercury.ccil.org>
Date: Sun, 06 Oct 2013 21:03:47 -0500
Message-ID: <CAK3OfOhTk=kMqdoRQbtizkNZVGW8h+bQ35+CPGxvGKQg=8rtvw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: John Cowan <cowan@mercury.ccil.org>
Content-Type: text/plain; charset="UTF-8"
Cc: Carsten Bormann <cabo@tzi.org>, "json@ietf.org" <json@ietf.org>, Tim Bray <tbray@textuality.com>, R S <sayrer@gmail.com>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 02:03:58 -0000
On Sun, Oct 6, 2013 at 8:42 PM, John Cowan <cowan@mercury.ccil.org> wrote: > Note that you can validate JSON with a simple regular expression to make > it reasonably, though not 100%, safe to eval it in JavaScript. I'm disinclined to believe this. Feel free to post the regex and we'll see :)
- [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Carsten Bormann
- Re: [Json] Security considerations John Levine
- Re: [Json] Security considerations Matthew Morley
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Nico Williams
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Martin J. Dürst