IETF Logo Mail Archive

Re: [Json] Security Considerations

"John Levine" <johnl@taugh.com> Thu, 06 June 2013 23:03 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC20021F9944 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 16:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -111.199
X-Spam-Level:
X-Spam-Status: No, score=-111.199 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0vH9xPeEKdn for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 16:03:04 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id DF91B21F93B9 for <json@ietf.org>; Thu, 6 Jun 2013 16:03:03 -0700 (PDT)
Received: (qmail 60755 invoked from network); 6 Jun 2013 23:03:08 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 6 Jun 2013 23:03:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=51b11526.xn--3zv.k1306; i=johnl@user.iecc.com; bh=EYjwEBWXWYyCHkybNGSo3iNk4fSyvsjmao3Bor+OBZ8=; b=tFtRFyi+Q+Kvh3CoAVoTzwJlF7mGDRhQB6FwrgrffFSL3N6rXHiCmvqCGTFXSX0ecqvAJ29aAd3wgVFMtL8SW0Swe8MMfEF55O873WXJ1TmFpCYoHMVlejiQfSrXr5uRGooS10dxkPVN0iT9QGvqDfBZH3DzZ9G/LOK5BIR/mZ3jumsqUp7gxzE/72t406tPbRMCczOP7k/Smn2cBeup9nweaGuFXPb3q+2SIBdRLTvxRpEfb4VXrHGlN9KYVKO0
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=51b11526.xn--3zv.k1306; olt=johnl@user.iecc.com; bh=EYjwEBWXWYyCHkybNGSo3iNk4fSyvsjmao3Bor+OBZ8=; b=ND+PmALNPHVwzrh7zw2HGGatqV6QGH47kxRNlHF7Y+vVO0c6+Ss2QsMAZzSIy5G10FoxfGvCs+nMveuXEbMiJwNtBNGUZTpExc+8IGl0vt9L0FhlG7CcJVLK8yJYfnh6aMRtpRnxpRNmmi9alWN/nIx4z9FKqeGPAJBpBh4dN4FE/SGgajHqyRwz9oVdbM6W2yzV93+3T9KMHDltsjyzr+G+LkLToKStFQ6h1ujvYAW8KkZe8WI+0UtpZhiXHqXo
Date: Thu, 06 Jun 2013 23:02:39 -0000
Message-ID: <20130606230239.24517.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: json@ietf.org
In-Reply-To: <51B0E02E.4070209@crockford.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Cc: douglas@crockford.com
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 23:03:09 -0000

I'd suggest also adding some warnings to parser writers along these
lines:

A string presented to a json parser may be a well formed json object,
or it may be anything else.  Hence a parser needs to avoid any
assumptions that its input is well-formed.  Even if an input string is
syntactically valid, strings may be longer than the maximum length of
an internal string format, numbers may not be representable in an
internal numeric format, arrays may be longer than the limits of an
internal array format, and an object may include more members than an
internal form can represent. Objects and arrays may be more deeply
nested than an internal form can represent.

v2.23.0 | Report a Bug | By Email