Preliminary Community Review: text/json
Graham Klyne
GK at ninebynine.org
Fri Feb 10 12:29:01 CET 2006
My apologies for not reading more closely. Technically, I agree you have
addressed the matter, but I do feel the text, as written, doesn't sufficiently
draw a reader's attention to the problem of malformed JSON values.
Let me make a concrete suggestion this time: after the first paragraph, I
suggest adding this:
[[
However, there is a potential security problem if an application accepts a JSON
value blindly assuming that it is safe to execute as Javascript code.
]]
This then leads to your second paragraph.
#g
--
Douglas Crockford wrote:
> The section on Security Considerations addressed this directly.
>
> Security considerations:
>
> Generally there are security issues with scripting languages.
> JSON is a subset of JavaScript, but it is a safe subset that
> excludes assignment and invocation.
>
> A JSON text can be safely passed into JavaScript's eval()
> function (which compiles and executes a string) if all of the
> characters not enclosed in strings are in the set of characters
> which form JSON tokens. This can be quickly determined in
> JavaScript with two regular expressions and calls to the test and
> replace methods.
>
> var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
> text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
> eval('(' + text + ')');
>
>
> ----- Original Message ----
> From: Graham Klyne <GK at ninebynine.org>
> To: Douglas Crockford <douglas at crockford.com>
> Cc: ietf-types at iana.org
> Sent: Thursday, February 9, 2006 4:14:33 PM
> Subject: Re: Preliminary Community Review: text/json
>
> Douglas Crockford wrote:
>> This is notice of a potential media type registration.
>> The details may be found here:
>>
>> http://www.ietf.org/internet-drafts/draft-crockford-jsonorg-json-02.txt
>>
>
> I have some limited experience of using JSON with TurboGears, and I think this
> registration is useful and appropriate. I haven't read the technical spec in
> great detail, but didn't see any major problems on cursory reading.
>
> However, I think there is an important issue that is missing from the security
> considerations:
>
> Because JSON is a subset of Javascript, and is sometimes used as a way of
> communicating information to Javascript programs, there is a possibility for
> implementers to simply treat the JSON expressions directly as Javascript source
> code (e.g. via Javascript eval()). This is safe if the expression is known to
> conform the the JSON specification, but if this is not checked there is a
> possibility that executable code inject side effects into a running Javascript
> program. Therefore, applications that receive JSON expressions need to ensure
> that they are processed in such a way that ill-formed expressions have no
> possibility of causing unexpected side effects or distorting the information
> that is displayed to users.
>
> There is one other thing I noticed. The proposed MIME type is text/json. I
> think that, based on comments I have seen made previously, that application/json
> would be more appropriate. My understanding is that text/... is intended for
> textual information that is suitable for display to a general human audience;
> e.g., it has been suggested that text/html was a mistake, which should not be
> repeated.
>
> #g
>
--
Graham Klyne
For email:
http://www.ninebynine.org/#Contact
More information about the Ietf-types
mailing list