RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 3 records.

Status: Verified (1)

RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006

Note: This RFC has been obsoleted by RFC 7159

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app

Errata ID: 607

Status: Verified
Type: Editorial

Reported By: Stéphane Bortzmeyer
Date Reported: 2007-10-17
Verifier Name: Alexey Melnikov
Date Verified: 2010-07-24

Section 2.2 says:

      object = begin-object [ member *( value-separator member ) ]
      end-object

It should say:

      object = begin-object [ member *( value-separator member ) ]
               end-object

Notes:

(edited by Alexey): Wrong indentation on the second line of the ABNF production, otherwise this is not legal ABNF.

Status: Held for Document Update (1)

RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006

Note: This RFC has been obsoleted by RFC 7159

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app

Errata ID: 3607

Status: Held for Document Update
Type: Technical

Reported By: Bjoern Hoehrmann
Date Reported: 2013-04-27
Held for Document Update by: Barry Leiba
Date Held: 2013-05-01

Section 6 says:

   A JSON text can be safely passed into JavaScript's eval() function
   (which compiles and executes a string) if all the characters not
   enclosed in strings are in the set of characters that form JSON
   tokens.  This can be quickly determined in JavaScript with two
   regular expressions and calls to the test and replace methods.

      var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
             text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
         eval('(' + text + ')');

It should say:

[OBSOLETE]

Notes:

Executing the following code in Microsoft Internet Explorer 9

var text = "\
+{ \"valueOf\": self[\"location\"],\
\"toString\": [][\"join\"],\
0: \"javascript:alert('EXPLOIT')\",\
\"length\": 1\
}"

var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');

results in an "alert" message of "EXPLOIT", i.e. part of the data is executed as if it was executable code, which the validation code in the RFC is supposed to rule out.

Credit is due to Stefano Di Paola's http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html article, and possibly others the reporter does not know of.

----- NOTES FROM THE DOCUMENT AUTHOR -----
That section is completely obsolete. The recommendation now is to not use eval at all, and instead use JSON.parse.

That section should be replaced entirely with language independent advice on proper encoding and decoding, including avoidance of concatenation to construct JSON texts.

----- NOTES FROM THE VERIFIER -----
The resolution of this is more involved than can be handled by errata, and a document update is planned soon... so this will be "held for document update." It's important to note that the premise is correct: the "eval()" mechanism is NOT RECOMMENDED, and this text will be entirely replaced when the document is updated.

Status: Rejected (1)

RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006

Note: This RFC has been obsoleted by RFC 7159

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app

Errata ID: 3159

Status: Rejected
Type: Technical

Reported By: James S. Chi
Date Reported: 2012-03-20
Rejected by: Peter Saint-Andre
Date Rejected: 2012-03-22

Section 2.5 says:

         string = quotation-mark *char quotation-mark

         char = unescaped /
                escape (
                    %x22 /          ; "    quotation mark  U+0022
                    %x5C /          ; \    reverse solidus U+005C
                    %x2F /          ; /    solidus         U+002F
                    %x62 /          ; b    backspace       U+0008
                    %x66 /          ; f    form feed       U+000C
                    %x6E /          ; n    line feed       U+000A
                    %x72 /          ; r    carriage return U+000D
                    %x74 /          ; t    tab             U+0009
                    %x75 4HEXDIG )  ; uXXXX                U+XXXX

         escape = %x5C              ; \

         quotation-mark = %x22      ; "

         unescaped = %x20-21 / %x23-5B / %x5D-10FFFF

It should say:

         string = quotation-mark *char quotation-mark

         char = unescaped /
                escape (
                    %x22 /          ; "    quotation mark  U+0022
                    %x5C /          ; \    reverse solidus U+005C
                    %x62 /          ; b    backspace       U+0008
                    %x66 /          ; f    form feed       U+000C
                    %x6E /          ; n    line feed       U+000A
                    %x72 /          ; r    carriage return U+000D
                    %x74 /          ; t    tab             U+0009
                    %x75 4HEXDIG )  ; uXXXX                U+XXXX

         escape = %x5C              ; \

         quotation-mark = %x22      ; "

         unescaped = %x20-21 / %x23-5B / %x5D-10FFFF

Notes:

There is a contradiction regarding solidus(/, %2F) character - it belongs to both escaped character and unescaped character. To solve this,delete following line:

%x2F / ; / solidus U+002F

The reason it should belong to unescaped character is clear. There's no gain by escape it.

The author has replied as follows:

There is no problem here. There is no requirement that there be a single encoding for each codepoint. "/" and "\/" are both allowed and both produce the same result. The second form was [provided] to allow insertion into HTML, where "</script>" interacts badly, but "<\/script>" does not.

Therefore, this report is rejected.
--VERIFIER NOTES--

Report New Errata



Search RFCs
Advanced Search
×