Re: [Json] Security considerations

Carsten Bormann <cabo@tzi.org> Sun, 06 October 2013 08:12 UTC

Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Content-Type: text/plain; charset="windows-1252"
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com>
Date: Sun, 06 Oct 2013 10:12:21 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
Precedence: list

On Oct 6, 2013, at 08:10, Tim Bray <tbray@textuality.com> wrote:

> It dawns on me that the #1 security consideration every web programmer learns, when using JSON, is “You could parse it with eval() but DON’T DO THAT”. So should we include that in the -bis Security Considerations section?

Yes!

Phrased this way, that would be a security consideration specific to JavaScript.  It may be worthwhile pointing out that there have been attack vectors*) in other environments as well that have tried some simple, incompletely checked syntactical conversion from JSON into their own (unsafe) literal notation and loaded/executed that.

Grüße, Carsten

*) say, CVE-2013-0269, CVE-2013-0333

[Json] Security considerations Tim Bray
Re: [Json] Security considerations Carsten Bormann
Re: [Json] Security considerations John Levine
Re: [Json] Security considerations Matthew Morley
Re: [Json] Security considerations R S
Re: [Json] Security considerations John Cowan
Re: [Json] Security considerations Nico Williams
Re: [Json] Security considerations R S
Re: [Json] Security considerations Paul Hoffman
Re: [Json] Security considerations Tim Bray
Re: [Json] Security considerations Paul Hoffman
Re: [Json] Security considerations John Cowan
Re: [Json] Security considerations Tim Bray
Re: [Json] Security considerations R S
Re: [Json] Security considerations Martin J. Dürst