[Json] Security Considerations

Douglas Crockford <douglas@crockford.com> Wed, 05 June 2013 17:59 UTC

Return-Path: <douglas@crockford.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52C7C21F9050 for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 10:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uPLp8-AzMVg for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 10:58:56 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id DDCE921F965B for <json@ietf.org>; Wed, 5 Jun 2013 10:58:55 -0700 (PDT)
Received: from [192.168.114.223] ([216.113.168.135]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MOxrj-1UmkHp0Bzb-006Rz4; Wed, 05 Jun 2013 13:58:55 -0400
Message-ID: <51AF7C55.3070606@crockford.com>
Date: Wed, 05 Jun 2013 10:58:45 -0700
From: Douglas Crockford <douglas@crockford.com>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "json@ietf.org" <json@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:5+KJqPR03djCqy24Ow1i0016nFYz1GVrlOPo0IVqd9L qYWTfPUaT1tpaX+Kc28AdK69cqrirzIV4TrrWWRD4fPaoVOV9j keU3scDB+hIRYCsyKStvH1ZiGcTLCCetJzXcszwpTK+oOMG7mq ag6jvdO+7hlOt3zzGYU7W6zlRScBIQXAY9htc7+8Y708X+pU9w OeEauSKNuF4HLI5fFVCOF0+qtntSkm61XwK5Mq00GyEbrjJodV ADDuH00PVKvF+zJqJhc4CA4Ytm8Bm4mhVVl16coobGdoV/VPm+ 9Nrpex2hkB+GdsWPBT3S/ehvlcZfR6nhWPJenFjM4secglhlnh qVRjzlWzUI3JbrmHKXN8qxpOkiW47Rgf08GoQXr8A
Subject: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2013 17:59:02 -0000

The section on security considerations is completely inadequate. It is 
describing a use of JavaScript eval that is now considered to be a very 
bad practice, and it provides no advice for other languages.

It should instead be advising care when constructing JSON texts, 
insisting on proper encoding practices and avoidance of concatenation.