Re: [Json] Security Considerations
"John Levine" <johnl@taugh.com> Thu, 06 June 2013 23:03 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC20021F9944 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 16:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -111.199
X-Spam-Level:
X-Spam-Status: No, score=-111.199 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0vH9xPeEKdn for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 16:03:04 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id DF91B21F93B9 for <json@ietf.org>; Thu, 6 Jun 2013 16:03:03 -0700 (PDT)
Received: (qmail 60755 invoked from network); 6 Jun 2013 23:03:08 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 6 Jun 2013 23:03:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=51b11526.xn--3zv.k1306; i=johnl@user.iecc.com; bh=EYjwEBWXWYyCHkybNGSo3iNk4fSyvsjmao3Bor+OBZ8=; b=tFtRFyi+Q+Kvh3CoAVoTzwJlF7mGDRhQB6FwrgrffFSL3N6rXHiCmvqCGTFXSX0ecqvAJ29aAd3wgVFMtL8SW0Swe8MMfEF55O873WXJ1TmFpCYoHMVlejiQfSrXr5uRGooS10dxkPVN0iT9QGvqDfBZH3DzZ9G/LOK5BIR/mZ3jumsqUp7gxzE/72t406tPbRMCczOP7k/Smn2cBeup9nweaGuFXPb3q+2SIBdRLTvxRpEfb4VXrHGlN9KYVKO0
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=51b11526.xn--3zv.k1306; olt=johnl@user.iecc.com; bh=EYjwEBWXWYyCHkybNGSo3iNk4fSyvsjmao3Bor+OBZ8=; b=ND+PmALNPHVwzrh7zw2HGGatqV6QGH47kxRNlHF7Y+vVO0c6+Ss2QsMAZzSIy5G10FoxfGvCs+nMveuXEbMiJwNtBNGUZTpExc+8IGl0vt9L0FhlG7CcJVLK8yJYfnh6aMRtpRnxpRNmmi9alWN/nIx4z9FKqeGPAJBpBh4dN4FE/SGgajHqyRwz9oVdbM6W2yzV93+3T9KMHDltsjyzr+G+LkLToKStFQ6h1ujvYAW8KkZe8WI+0UtpZhiXHqXo
Date: Thu, 06 Jun 2013 23:02:39 -0000
Message-ID: <20130606230239.24517.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: json@ietf.org
In-Reply-To: <51B0E02E.4070209@crockford.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Cc: douglas@crockford.com
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 23:03:09 -0000
I'd suggest also adding some warnings to parser writers along these lines: A string presented to a json parser may be a well formed json object, or it may be anything else. Hence a parser needs to avoid any assumptions that its input is well-formed. Even if an input string is syntactically valid, strings may be longer than the maximum length of an internal string format, numbers may not be representable in an internal numeric format, arrays may be longer than the limits of an internal array format, and an object may include more members than an internal form can represent. Objects and arrays may be more deeply nested than an internal form can represent.
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann