Re: [Json] Security considerations

R S <sayrer@gmail.com> Mon, 07 October 2013 05:02 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9048F21E814E for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 22:02:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.187
X-Spam-Level:
X-Spam-Status: No, score=-2.187 tagged_above=-999 required=5 tests=[AWL=0.412, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g35oGslo1FhH for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 22:02:17 -0700 (PDT)
Received: from mail-qc0-x22d.google.com (mail-qc0-x22d.google.com [IPv6:2607:f8b0:400d:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 42C6721E8151 for <json@ietf.org>; Sun, 6 Oct 2013 22:02:14 -0700 (PDT)
Received: by mail-qc0-f173.google.com with SMTP id c3so4439205qcv.4 for <json@ietf.org>; Sun, 06 Oct 2013 22:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=V7B5gDJCvkpww3R2+47Y14nZd2giQFmmDNzRV2GtyU0=; b=u+HahlLP+evLwuBXdfTzsCvumaqkgE3eyNxVse2kgJlofPRMTG6/DMwcg9pEzmSKmi gy8I4mCI2R9Z/CGZ1A+3mrbPUhH+FSOhhiwJz1Y75QsTw0m003qHrcA+34+q28MGdF61 SXqopMsHzdLG7ptJiW+4B4Gl8LgJ1g4yg3BHwELDaHdjwfdhMzvTXEGzgSAZiSkyMLTI vNRZ9Xh2xgtDKH6xWiy+N0XnK6OSgj/fMBn8OYi0pRm69JzIbacEv3wER4/Wqk6NLRSG upT9NRkueht/Sf/oxXQl55qW97e70bGjJExclSxugoOQOpKZbPFfVaY8byqtKBxLCj0t tbuw==
MIME-Version: 1.0
X-Received: by 10.49.30.66 with SMTP id q2mr34001511qeh.38.1381122133729; Sun, 06 Oct 2013 22:02:13 -0700 (PDT)
Received: by 10.140.86.147 with HTTP; Sun, 6 Oct 2013 22:02:13 -0700 (PDT)
In-Reply-To: <CAHBU6iup96di+EQ4uUV-s2EhDbh1tmerZYF10nbOCxNz3enZNw@mail.gmail.com>
References: <CAHBU6iuLBDQd1a8D1vJXg4hUUQf6hBgs7vEsXZHLX_nrWE6aRA@mail.gmail.com> <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org> <CAChr6Sz1B_1ZLEye=1XA=AiRUuZZ+HBiovC4VK0-aMkjd9O2ZA@mail.gmail.com> <20131007014220.GR7224@mercury.ccil.org> <FCDBFB26-BABB-4D49-A464-BBD68C7FE3B3@vpnc.org> <CAHBU6isVgBXS=LG6CPgn2-tus5HTgkYoaDc2t8FPsWLBs2BFgA@mail.gmail.com> <8DD26019-C037-4E66-ADD8-AE01832E5EE1@vpnc.org> <CAHBU6iup96di+EQ4uUV-s2EhDbh1tmerZYF10nbOCxNz3enZNw@mail.gmail.com>
Date: Sun, 06 Oct 2013 22:02:13 -0700
Message-ID: <CAChr6Szgp2DmSbXUCFuD=qJ8sQSv9wYPte4punAoRN+g8KfR8A@mail.gmail.com>
From: R S <sayrer@gmail.com>
To: Tim Bray <tbray@textuality.com>
Content-Type: multipart/alternative; boundary="047d7bdc90be2c289b04e81f8e13"
Cc: John Cowan <cowan@mercury.ccil.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 05:02:17 -0000

On Sunday, October 6, 2013, Tim Bray wrote:

> What is the argument against including a conventional warning against a
> plausible-but-dangerous practice?  The only one I can think of is “everyone
> already knows that” which doesn’t seem very strong to me.
>

It's worse than that.

RFC 4627 has text that says a JSON string can be passed to eval() if it
passes an inadequate regex. This text should be corrected, not just
omitted.

- Rob


>
> On Sun, Oct 6, 2013 at 8:19 PM, Paul Hoffman <paul.hoffman@vpnc.org<javascript:_e({}, 'cvml', 'paul.hoffman@vpnc.org');>
> > wrote:
>
>> On Oct 6, 2013, at 8:18 PM, Tim Bray <tbray@textuality.com<javascript:_e({}, 'cvml', 'tbray@textuality.com');>>
>> wrote:
>>
>> > You mean will not cover might-make-you-safe regex, or will not warn of
>> the dangers of eval()?
>>
>> Correct.
>>
>> --Paul HOffman
>> _______________________________________________
>> json mailing list
>> json@ietf.org <javascript:_e({}, 'cvml', 'json@ietf.org');>
>> https://www.ietf.org/mailman/listinfo/json
>>
>
>