IETF Logo Mail Archive

Re: [Json] Bug in RFC7493 (I-JSON)?

Carsten Bormann <cabo@tzi.org> Sun, 06 May 2018 08:13 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5582C126CF6 for <json@ietfa.amsl.com>; Sun, 6 May 2018 01:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5muHxjEiT2z for <json@ietfa.amsl.com>; Sun, 6 May 2018 01:13:23 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B40EA124BAC for <json@ietf.org>; Sun, 6 May 2018 01:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id w468DI3m014723; Sun, 6 May 2018 10:13:18 +0200 (CEST)
Received: from [100.117.235.67] (ip-109-40-67-195.web.vodafone.de [109.40.67.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 40dz5n5pdlzDXQ0; Sun, 6 May 2018 10:13:17 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail-E8457CE4-9F5B-4609-A46B-CC7FF7D73B58"
Mime-Version: 1.0 (1.0)
From: Carsten Bormann <cabo@tzi.org>
X-Mailer: iPhone Mail (15E302)
In-Reply-To: <d9235420-09e2-4d25-1e4d-19848e2c48d8@gmail.com>
Date: Sun, 06 May 2018 10:13:16 +0200
Cc: "json@ietf.org" <json@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <287181EC-8CFD-4C3D-A543-9E6324BAB64E@tzi.org>
References: <d9235420-09e2-4d25-1e4d-19848e2c48d8@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/ucjs22vW6uNURVbN3xDt4ONNIWs>
Subject: Re: [Json] Bug in RFC7493 (I-JSON)?
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2018 08:13:25 -0000

The question is not whether a number makes it through a round-trip (lots more do so) but whether the result of deciding is unambiguous. If you get 2**53, you don't know whether the sender sent 2**53 or 2**53+1, so you shouldn't be accepting either number as if it were unambiguous. 

Sent from mobile

> On 6. May 2018, at 08:21, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> During testing of the JSON canonicalizer [1,2] I tried with an integer just above the specified limit (2**53) + 1 and to my surprise it didn't fail.
> A short run with an IEEE-754/ES6 debugger seemed to confirm that +-2**53 is the actual limit for integers.
> 
> Input floating point: 9007199254740991
> Output floating point: 9007199254740991
> Hex value: 433fffffffffffff
> Binary value: 0 10000110011 1111111111111111111111111111111111111111111111111111
> 
> Input floating point: 9007199254740992
> Output floating point: 9007199254740992
> Hex value: 4340000000000000
> Binary value: 0 10000110100 0000000000000000000000000000000000000000000000000000
> 
> Anders
> 
> 1] https://github.com/cyberphone/json-canonicalization#json-canonicalization
> 2] https://cyberphone.github.io/doc/security/draft-rundgren-json-canonicalization-scheme.html
> 
> 
> _______________________________________________
> json mailing list
> json@ietf.org
> https://www.ietf.org/mailman/listinfo/json
>

v2.23.0 | Report a Bug | By Email