IETF Logo Mail Archive

Re: [Json] Security considerations

"John Levine" <johnl@taugh.com> Sun, 06 October 2013 16:53 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC7321F9E6C for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 09:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.72
X-Spam-Level:
X-Spam-Status: No, score=-100.72 tagged_above=-999 required=5 tests=[AWL=-0.580, BAYES_20=-0.74, J_CHICKENPOX_44=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdAlbX8wcx3n for <json@ietfa.amsl.com>; Sun, 6 Oct 2013 09:53:36 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 97DEC21F9E4F for <json@ietf.org>; Sun, 6 Oct 2013 09:53:34 -0700 (PDT)
Received: (qmail 97780 invoked from network); 6 Oct 2013 16:53:33 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 6 Oct 2013 16:53:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=5251958d.xn--3zv.k1309; i=johnl@user.iecc.com; bh=84UTLd17eB1XOdPSIbNNEfl4ZCmR2SBQIeNeH2b8kVY=; b=ifLE+JOg0JI0402dhD7eU65ll+xiRp93ld+FG2BTreU6V+/va+COHeziR7AoD+6likUZXTEUYU4wUQEOYKyD5VtqNJttdXASeFTMXN/2cVEdyRQJHUBGCMvSxIPlXwr5FGG9k5zqn0/FskdqXGcnVFN6uauRfVwXoCZH5CbHTy1NCzoWDyWeN48tBJhogGEyXatBG4BKo5QxQzj0o+nWY+twtBBlIAA65lURLsOK7kq4T3pTETdtGjMtsuAdaCji
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=5251958d.xn--3zv.k1309; olt=johnl@user.iecc.com; bh=84UTLd17eB1XOdPSIbNNEfl4ZCmR2SBQIeNeH2b8kVY=; b=iyc7y7OR5RCWeTHnJfvrWyny6f7Hkm1iDo7HO3qWpRoxEaYJmzhh3GJmRsX7WFzT3TQXsDLG4tucLsn0xQTU1FuAj2Dve828fyyg7UVovPAZYcOsLIUCyZLTKZp6GLmmTuEtjVbx7R1NwfzbG5aVbOi+4dEZ3aAzlIwVB8aii6OrCBufiJP2CbYL3YLfHsB9tAgKlSlN9XXYQ257DEiimcnqTiYh+LjJuRM/b+4tsLdV9F+8pmJAsooEbHWNba1/
Date: Sun, 06 Oct 2013 16:53:10 -0000
Message-ID: <20131006165310.3006.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: json@ietf.org
In-Reply-To: <7C4636E2-2819-4FD9-819F-A3594DADA711@tzi.org>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Cc: cabo@tzi.org
Subject: Re: [Json] Security considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Oct 2013 16:53:40 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> It dawns on me that the #1 security consideration every web programmer
>learns, when using JSON, is “You could parse it with eval() but DON’T DO
>THAT”. So should we include that in the -bis Security Considerations
>section?

I would be more concrete and note that a string that purports
to be JSON could in fact be anything, so parsers should treat
them with due scepticism.

I suppose it wouldn't hurt to spell things out for the low-clue,
and note that although it is possible to turn a JSON string into
an internal reputation by evaluating it as Java(Ecma, etc.)script,
that is exceedingly risky unless the string has been verified to
be valid JSON.

R's,
John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (FreeBSD)

iEYEARECAAYFAlJRlYsACgkQkEiFRdeC/kUpHgCfTAck4oWuM2dZlm0D2Xrbdvzk
AzEAn1wGCFV2dBiqpoOmPmM9VDYpTdGq
=hdOH
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email