[Json] Fixing / removing the safe-for-eval() regex

"Hill, Brad" <bhill@paypal-inc.com> Mon, 11 March 2013 17:46 UTC

Return-Path: <bhill@paypal-inc.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E6F6011E80DE for <json@ietfa.amsl.com>; Mon, 11 Mar 2013 10:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 12BKsZ0WkU57 for <json@ietfa.amsl.com>; Mon, 11 Mar 2013 10:46:38 -0700 (PDT)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com []) by ietfa.amsl.com (Postfix) with ESMTP id B291C11E80CC for <json@ietf.org>; Mon, 11 Mar 2013 10:46:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1363023999; x=1394559999; h=from:to:subject:date:message-id:mime-version; bh=eKKi5Z6q0yCLQXstoo0qi4x04HFMcc1uskPWYom2x3M=; b=NxV5LkoDFhOLdComg3/xSt/Vuliim6VpkEQ2VGScJlTV08jIIAta4U/L pMX1lbxx3OyFmwdwyzqszfSUd3+IR0Ulc1joXV4zFbFn7tDWI9yFkpOoF +6KrfJct54f4Wj9sEjJX1v8Tc3HuC92buu7MzOxZ61BdAte2qX57aAmun U=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos; i="4.84,825,1355126400"; d="scan'208,217"; a="13947609"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-EXMHT-001.corp.ebay.com) ([]) by den-mipot-002.corp.ebay.com with ESMTP; 11 Mar 2013 10:46:38 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-001.corp.ebay.com ([fe80::345e:2420:7d3d:208d%13]) with mapi id 14.02.0318.004; Mon, 11 Mar 2013 11:46:37 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: "json@ietf.org" <json@ietf.org>
Thread-Topic: Fixing / removing the safe-for-eval() regex
Thread-Index: Ac4egGy0TXno4AShSrq8byxKCcXTOQ==
Date: Mon, 11 Mar 2013 17:46:37 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2795A91E@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_370C9BEB4DD6154FA963E2F79ADC6F2E2795A91EDENEXDDAS12corp_"
MIME-Version: 1.0
X-CFilter: Scanned
X-Mailman-Approved-At: Mon, 11 Mar 2013 10:47:56 -0700
Subject: [Json] Fixing / removing the safe-for-eval() regex
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion related to JavaScript Object Notation \(JSON\)." <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 17:46:40 -0000

If a new WG is chartered to update 4627, fixing or removing the safe-for-eval() regex should be on the charter.

There are now several known ways to break out of this regex:


Alternatively, we might simply remove the regex and suggest that only "native" JSON parsing be allowed.  We may or may not be at a point in the ecosystem where this facility is widely available and eval() is no longer a necessary expedient in any significant number of cases.

As this regex is widely-used, I would suggest it should be improved for use in some situations and recommended more strongly against, up to and including MUST NOT in a web browser environment where json.parse() is available and the global scope is cluttered with objects that allow code execution.

Brad Hill