IETF Logo Mail Archive

Re: [Json] The names within an object SHOULD be unique.

Stephen Dolan <stephen.dolan@cl.cam.ac.uk> Fri, 07 June 2013 15:19 UTC

Return-Path: <stedolan@stedolan.net>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77FA521F91BC for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 08:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R+zlv+NVNNCR for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 08:19:27 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 20EB321F955A for <json@ietf.org>; Fri, 7 Jun 2013 08:19:26 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id fn20so3858892lab.28 for <json@ietf.org>; Fri, 07 Jun 2013 08:19:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=9SIDazaLbKKREf//eF6MzCRyahzNrzaYo16rw6mOpOo=; b=gYHooREdD8XVkUi7YMcN+e5cCqpZjnRPKoKrQmmqF5pC5uv9vg39LNGmInoqmJu7xm Dj4p+nJGoeL/t37mebdDCQMlpjn/f1fQ8OyhmWRn33twQ1F2bNrXZ7b7w4De4UzCtglh /qpIJ0jpc117tYbUtJvsuH5coHAb32KmCroQto/3fH8UemAM9pPlwgfTkOHWWJ47LnaR Xz7cULfQCAEn2YIJkoNofFD21HHOugqT6RWGD/jf1y1nCMoWcmdT7sG8ItttkjD1ud/p +ywPkwBo3ONDOvYIG50kM5DOwgFyaSQusn41XbV5GJa4LyKkFYtt1AUxvXa3ym6NUVk3 AQfQ==
MIME-Version: 1.0
X-Received: by 10.152.42.171 with SMTP id p11mr2751015lal.79.1370618365443; Fri, 07 Jun 2013 08:19:25 -0700 (PDT)
Sender: stedolan@stedolan.net
Received: by 10.114.186.41 with HTTP; Fri, 7 Jun 2013 08:19:25 -0700 (PDT)
X-Originating-IP: [128.232.9.157]
In-Reply-To: <51B1E909.2010402@drees.name>
References: <51AF8479.5080002@crockford.com> <CAK3OfOgtYoPRZ-Gj5G8AnNipDyxYs=6_KD=rQTxKbhDPX6FZNA@mail.gmail.com> <51b1168c.e686440a.5339.5fc4SMTPIN_ADDED_BROKEN@mx.google.com> <CAK3OfOhL3zXHfg9EEDWLXhjLQ1aBvvxikKAiR+nUpDHJaVh+Qg@mail.gmail.com> <51B1B47C.9060009@drees.name> <C86A9758-5BEF-415C-BD17-DC5E757FAA7E@yahoo.com> <51B1E909.2010402@drees.name>
Date: Fri, 07 Jun 2013 16:19:25 +0100
X-Google-Sender-Auth: cDk_an-QriKte0K8sxdERiGTev0
Message-ID: <CA+mHimN9=VZu4RRWcnk2F_uMi-+E-LDN2stb1MFNDP+o1R0WSg@mail.gmail.com>
From: Stephen Dolan <stephen.dolan@cl.cam.ac.uk>
To: stefan@drees.name
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlmyo8bC2+cgLjdLdebGfO5gSDeLi62EGBsG1u0D6UybyEutcUvk1uANOIgtGfC2gvfNiyt
Cc: Vinny A <jsontest@yahoo.com>, Markus Lanthaler <markus.lanthaler@gmx.net>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] The names within an object SHOULD be unique.
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 15:21:07 -0000

On Jun 7, 2013, at 5:22 AM, Stefan Drees ... wrote:
>
> Which b.t.w. I would certainly rewrite as:
>
> NEW
> """
> Generators SHOULD NOT duplicate names in objects. Parsers MUST be
> prepared to either accept duplicate names in objects or reject the
> complete JSON text containing these, as a generator might not avoid nor
> detect such duplication.
> """

Regarding duplicate keys, the issue was raised before that having
multiple valid interpretations of an input leads to security problems.
Consider this document:

    {"command": "no-op", "user": "untrustworthy-person", "command":
"launch-missiles"}

if submitted to a system which separates authorization from execution,
where both use JSON implementations which differ in their
interpretation of duplicate keys, this could end badly.

There are some JSON implementations which preserve duplicate keys, and
many which don't. However, I know of no implementation which
interprets {"a":2, "a":1} as {"a":2} - the implementations I've seen
keep either all or just the last entry. Codifying this behaviour in
the RFC would help to prevent the security issue described above, so
how about some text along the lines of:

    If an object contains several key-value entries with the same key,
a JSON parser MAY ignore all but the last of these entries. A JSON
parser MUST NOT ignore the last such entry.


Stephen Dolan

v2.23.0 | Report a Bug | By Email