Re: [Json] Security Considerations
Stephan Beal <sgbeal@googlemail.com> Thu, 06 June 2013 20:00 UTC
Return-Path: <sgbeal@googlemail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6430F11E80F2 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 13:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[AWL=-0.215, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MISSING_HEADERS=1.292, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcX3tzrQ6POh for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 13:00:57 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 7791821F93B9 for <json@ietf.org>; Thu, 6 Jun 2013 13:00:57 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id l18so2416893wgh.1 for <json@ietf.org>; Thu, 06 Jun 2013 13:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=w8qlEC3OYjMy/t4qjWm1fOBHfJk3J+GBvtOAsF46+/8=; b=T4rGvtgqehlSSs2KbBs7TqVfmlZ0b5x0ELlW+53qcYxk3Vx1x0wd0Qy/JdsNcnkSSU 41mt88ypFMtwdKNSw+2AtHj3zmB2Wtb29zvLekF1DDKq2Mli9/U8J3k97aihhgIEsNDZ qTyOmxkmLedVwgWv7KZRxRIaV85exc/nlQU7vaGvZh1AQqiGayRAGVFZGhbfusGsVUcx yO6GlRAeZO8ZCV+znxKqyWbgCeMA65WYg95xm15eLXtYUEkrZtV4F39TtSdTd/8CK0bF AEWKJ8HOv1+KQSKG48cRBW5u2DiYqJNqzM71z1NrNCtcvotD+rxpH4R74jGVaRgpxLLT Dvlg==
MIME-Version: 1.0
X-Received: by 10.180.198.110 with SMTP id jb14mr11072684wic.37.1370548856623; Thu, 06 Jun 2013 13:00:56 -0700 (PDT)
Received: by 10.194.42.230 with HTTP; Thu, 6 Jun 2013 13:00:56 -0700 (PDT)
In-Reply-To: <51B0E02E.4070209@crockford.com>
References: <51B0E02E.4070209@crockford.com>
Date: Thu, 06 Jun 2013 22:00:56 +0200
Message-ID: <CAKd4nAg1YsKrFF-kwzntFCkJ5DzuNbH4x4S7QCxs_C-V7C_A9g@mail.gmail.com>
From: Stephan Beal <sgbeal@googlemail.com>
Cc: "json@ietf.org" <json@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b6227cebf178904de81c517"
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 20:00:58 -0000
On Thu, Jun 6, 2013 at 9:17 PM, Douglas Crockford <douglas@crockford.com>wrote: > which some parsers MAY see as being the same as > > {"comment":"","account":262} That wording "may" not be valid/necessary, depending on how the debate on the handling of multiple keys goes ;). If, for example, implementations are required to fail on multiple keys then any other behaviour is non-compliant and need not (necessarily) be specified by the spec, except perhaps as "non-normative" info. > It is much wiser to use JSON generators, which are available in many > forms for most programming languages, to do the encoding, avoiding > the confusion hazard. > Some generators (streaming ones) can still create dupes. For example, JavaScript's eval() function is able parse JSON text, > but is can also parse programs. If an attacker can inject code into > the JSON text (as we saw above), then it can compromise the system. > JSON parsers should always be used instead. > IMHO that all belongs well within the realm of Best Practice (perhaps a Security Concerns sub-section). -- ----- stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann