Re: [Json] Security considerations
John Cowan <cowan@mercury.ccil.org> Mon, 07 October 2013 02:01 UTC
Return-Path: <cowan@ccil.org>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB29421E8124 for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YzXEt2+Vz9a for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 19:01:31 -0700 (PDT)
Received: from earth.ccil.org (earth.ccil.org [192.190.237.11]) by ietfa.amsl.com (Postfix) with ESMTP id C376B21E8123 for <json@ietf.org>; Sun, 6 Oct 2013 19:01:29 -0700 (PDT)
Received: from cowan by earth.ccil.org with local (Exim 4.72) (envelope-from <cowan@ccil.org>) id 1VSzq0-00077J-Fd; Sun, 06 Oct 2013 21:42:20 -0400
Date: Sun, 06 Oct 2013 21:42:20 -0400
From: John Cowan <cowan@mercury.ccil.org>
To: R S <sayrer@gmail.com>
Message-ID: <20131007014220.GR7224@mercury.ccil.org>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: John Cowan <cowan@ccil.org>
Cc: Carsten Bormann <cabo@tzi.org>, Tim Bray <tbray@textuality.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 02:01:36 -0000
R S scripsit: > We already have a reference to ECMAScript, and it is a pretty common > case, so it might be worth saying "eval() in ECMAScript and similar > functions in other languages..." or something like that. I believe > JSON will eval in Python as well, for example. If you arrange for "true", "false", and "null" to be defined as global variables whose values are True, False, and None, then yes. Note that you can validate JSON with a simple regular expression to make it reasonably, though not 100%, safe to eval it in JavaScript. -- The man that wanders far cowan@ccil.org from the walking tree http://www.ccil.org/~cowan --first line of a non-existent poem by: John Cowan
- [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Carsten Bormann
- Re: [Json] Security considerations John Levine
- Re: [Json] Security considerations Matthew Morley
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Nico Williams
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations Paul Hoffman
- Re: [Json] Security considerations John Cowan
- Re: [Json] Security considerations Tim Bray
- Re: [Json] Security considerations R S
- Re: [Json] Security considerations Martin J. Dürst