Re: [Json] Security considerations

R S <sayrer@gmail.com> Mon, 07 October 2013 02:20 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BE9221E8127 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.695
X-Spam-Level:
X-Spam-Status: No, score=0.695 tagged_above=-999 required=5 tests=[AWL=-3.294, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-7y95RBXFdA for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:20:58 -0700 (PDT)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 33B3D21E8128 for <json@ietf.org>; Sun, 6 Oct 2013 19:20:56 -0700 (PDT)
Received: by mail-qe0-f44.google.com with SMTP id 6so2137353qeb.31 for <json@ietf.org>; Sun, 06 Oct 2013 19:20:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dXKud+n044BwfzqLgPaemYGk6wkFdmCE0xu5QW3hf8M=; b=GfyPKjjxJsYU/rK7fjweojEe0IG5ksQQ32Gk3GiZqcFOdNJd9o4/9VknHiZzH4LatR Z6kryR1Qu4dRGYaugTsMCKM56b0jZp0TeHNAtCkVWxskzjfePuVD2YQvi5WjYaZPUHa5 1QxtQ+8IvPIF4hqhClJbtVYsIHoSQAgv9FgGBniKdb4OFLaENVY8gxaxRYBehM7RS2sm 6PnBdfIVmQf5ULZNIsbViz4bm5L5iDFlPnoe0ekmaXVXLw5gs4VLMOJ+bFNDHiFL4nmF s2R3e45eAHZ26ofQl3tjDPDEvhtc0KQEDzBhOejY9x+vmNZx7HV3NFKh38dVv7bD7mt7 0uHA==
MIME-Version: 1.0
X-Received: by 10.229.75.9 with SMTP id w9mr33394944qcj.0.1381112455620; Sun, 06 Oct 2013 19:20:55 -0700 (PDT)
Received: by 10.140.86.147 with HTTP; Sun, 6 Oct 2013 19:20:55 -0700 (PDT)
In-Reply-To: <20131007014220.GR7224@mercury.ccil.org>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com> <20131007014220.GR7224@mercury.ccil.org>
Date: Sun, 06 Oct 2013 19:20:55 -0700
Message-ID: <CAChr6Sw1xO0QxgdzT9iHjGfONTGueFPassMqHph9dNSvdT_iNQ@mail.gmail.com>
From: R S <sayrer@gmail.com>
To: John Cowan <cowan@mercury.ccil.org>
Content-Type: multipart/alternative; boundary="001a1133b9604ff08804e81d4d6b"
Cc: Carsten Bormann <cabo@tzi.org>, Tim Bray <tbray@textuality.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 02:20:59 -0000

On Sun, Oct 6, 2013 at 6:42 PM, John Cowan <cowan@mercury.ccil.org> wrote:

> R S scripsit:
>
> > We already have a reference to ECMAScript, and it is a pretty common
> > case, so it might be worth saying "eval() in ECMAScript and similar
> > functions in other languages..." or something like that. I believe
> > JSON will eval in Python as well, for example.
>
> If you arrange for "true", "false", and "null" to be defined as global
> variables whose values are True, False, and None, then yes.
>

You can.

axel-foley:dev sayrer$ python
Python 2.7.2 (default, Oct 11 2012, 20:14:37)
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> eval("[true, false, null]")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 1, in <module>
NameError: name 'true' is not defined
>>> eval("[true, false, null]", {"true": True, "false": False, "null":
None})
[True, False, None]

- Rob


>
> Note that you can validate JSON with a simple regular expression to make
> it reasonably, though not 100%, safe to eval it in JavaScript.
>
> --
> The man that wanders far                        cowan@ccil.org
> from the walking tree                           http://www.ccil.org/~cowan
>         --first line of a non-existent poem by:         John Cowan
>