IETF Logo Mail Archive

Re: [Json] Security considerations

John Cowan <cowan@mercury.ccil.org> Mon, 07 October 2013 02:01 UTC

Return-Path: <cowan@ccil.org>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB29421E8124 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YzXEt2+Vz9a for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:01:31 -0700 (PDT)
Received: from earth.ccil.org (earth.ccil.org [192.190.237.11]) by ietfa.amsl.com (Postfix) with ESMTP id C376B21E8123 for <json@ietf.org>; Sun, 6 Oct 2013 19:01:29 -0700 (PDT)
Received: from cowan by earth.ccil.org with local (Exim 4.72) (envelope-from <cowan@ccil.org>) id 1VSzq0-00077J-Fd; Sun, 06 Oct 2013 21:42:20 -0400
Date: Sun, 06 Oct 2013 21:42:20 -0400
From: John Cowan <cowan@mercury.ccil.org>
To: R S <sayrer@gmail.com>
Message-ID: <20131007014220.GR7224@mercury.ccil.org>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: John Cowan <cowan@ccil.org>
Cc: Carsten Bormann <cabo@tzi.org>, Tim Bray <tbray@textuality.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 02:01:36 -0000

R S scripsit:

> We already have a reference to ECMAScript, and it is a pretty common
> case, so it might be worth saying "eval() in ECMAScript and similar
> functions in other languages..." or something like that. I believe
> JSON will eval in Python as well, for example.

If you arrange for "true", "false", and "null" to be defined as global
variables whose values are True, False, and None, then yes.

Note that you can validate JSON with a simple regular expression to make
it reasonably, though not 100%, safe to eval it in JavaScript.

-- 
The man that wanders far                        cowan@ccil.org
from the walking tree                           http://www.ccil.org/~cowan
        --first line of a non-existent poem by:         John Cowan

v2.23.0 | Report a Bug | By Email