RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006

Note: This RFC has been obsoleted by RFC 7159

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app

Errata ID: 3607

Status: Held for Document Update
Type: Technical

Reported By: Bjoern Hoehrmann
Date Reported: 2013-04-27
Held for Document Update by: Barry Leiba
Date Held: 2013-05-01

Section 6 says:

   A JSON text can be safely passed into JavaScript's eval() function
   (which compiles and executes a string) if all the characters not
   enclosed in strings are in the set of characters that form JSON
   tokens.  This can be quickly determined in JavaScript with two
   regular expressions and calls to the test and replace methods.

      var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
             text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
         eval('(' + text + ')');

It should say:

[OBSOLETE]

Notes:

Executing the following code in Microsoft Internet Explorer 9

var text = "\
+{ \"valueOf\": self[\"location\"],\
\"toString\": [][\"join\"],\
0: \"javascript:alert('EXPLOIT')\",\
\"length\": 1\
}"

var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');

results in an "alert" message of "EXPLOIT", i.e. part of the data is executed as if it was executable code, which the validation code in the RFC is supposed to rule out.

Credit is due to Stefano Di Paola's http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html article, and possibly others the reporter does not know of.

----- NOTES FROM THE DOCUMENT AUTHOR -----
That section is completely obsolete. The recommendation now is to not use eval at all, and instead use JSON.parse.

That section should be replaced entirely with language independent advice on proper encoding and decoding, including avoidance of concatenation to construct JSON texts.

----- NOTES FROM THE VERIFIER -----
The resolution of this is more involved than can be handled by errata, and a document update is planned soon... so this will be "held for document update." It's important to note that the premise is correct: the "eval()" mechanism is NOT RECOMMENDED, and this text will be entirely replaced when the document is updated.

Report New Errata