Re: [Json] Security considerations
Matthew Morley <matt@mpcm.com> Sun, 06 October 2013 18:35 UTC
Return-Path: <mmorley@mpcm.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD81411E8126 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 11:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.376
X-Spam-Level:
X-Spam-Status: No, score=-2.376 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jx5OjgWZFRGR for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 11:35:00 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) by ietfa.amsl.com (Postfix) with ESMTP id C62C611E811A for <json@ietf.org>; Sun, 6 Oct 2013 11:34:57 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id ep20so4825966lab.15 for <json@ietf.org>; Sun, 06 Oct 2013 11:34:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FHJndHYrZi5YOD9g218ugmAmuqBFxhLhX88eM3D1ynU=; b=FU4BYvVcl5hmf1k5VTA9urEIS+sssO9sfT672dt9X/v4GOyQsdo+sv8EIhD34T7yKV 1naNkLZW+br6Wc2Pno1Z1B/DfZu9OCwDD7Us+nA3Ng7CkMUtzCkEy4YAJ2ncPHS6R32C LlZb7AL6iNEA8eo48qFNy+Cm0UjhFj7I3cgvU87WQX8P6sA/wC16cLzrTrTB1ncHLqrK v1qqsTSzWr3IJ1ze2g/BdC87WCrkUzQ48nX201j5H5CTmG3MM0AE+ctzTuEYEfZVvBf6 sNeZqSsf9D4iT9/ynbeWxzFPfWddE+sI6iK88v6YZ9xABji//byFGvbxgl1vb9gAec9Z j6eA==
X-Gm-Message-State: ALoCoQlVuCHmLcrDACa2SjmJVi2rKYrisaXKJ3eGb4cL5HHSXzTepSIQ9FqpRQoazFMGwicfTCBT
MIME-Version: 1.0
X-Received: by 10.152.6.169 with SMTP id c9mr2939977laa.28.1381084496199; Sun, 06 Oct 2013 11:34:56 -0700 (PDT)
Sender: mmorley@mpcm.com
Received: by 10.114.160.198 with HTTP; Sun, 6 Oct 2013 11:34:56 -0700 (PDT)
In-Reply-To: <20131006165310.3006.qmail@joyce.lan>
References: <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <20131006165310.3006.qmail@joyce.lan>
Date: Sun, 06 Oct 2013 14:34:56 -0400
X-Google-Sender-Auth: umV_w9HYlnH5vzkpoH45TtlHX9A
Message-ID: <CAOXDeqoO4AT_usKhXiHK6m=LBN8Z1MRERV=ApYrWh3dLCG5YDQ@mail.gmail.com>
From: Matthew Morley <matt@mpcm.com>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="089e01493c06cd21fb04e816cae4"
Cc: Carsten Bormann <cabo@tzi.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Oct 2013 18:35:05 -0000
On Sun, Oct 6, 2013 at 12:53 PM, John Levine <johnl@taugh.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >> It dawns on me that the #1 security consideration every web programmer > >learns, when using JSON, is “You could parse it with eval() but DON’T DO > >THAT”. So should we include that in the -bis Security Considerations > >section? > > I would be more concrete and note that a string that purports > to be JSON could in fact be anything, so parsers should treat > them with due scepticism. > +1. > > I suppose it wouldn't hurt to spell things out for the low-clue, > and note that although it is possible to turn a JSON string into > an internal reputation by evaluating it as Java(Ecma, etc.)script, > that is exceedingly risky unless the string has been verified to > be valid JSON. > > R's, > John > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.21 (FreeBSD) > > iEYEARECAAYFAlJRlYsACgkQkEiFRdeC/kUpHgCfTAck4oWuM2dZlm0D2Xrbdvzk > AzEAn1wGCFV2dBiqpoOmPmM9VDYpTdGq > =hdOH > -----END PGP SIGNATURE----- > > _______________________________________________ > json mailing list > json@ietf.org > https://www.ietf.org/mailman/listinfo/json > > -- Matthew P. C. Morley
- [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Carsten Bormann
- Re: [Json] Security considerations John Levine
- Re: [Json] Security considerations Matthew Morley
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Nico Williams
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Martin J. Dürst