RFC Errata
Found 3 records.
Status: Verified (1)
RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006
Note: This RFC has been obsoleted by RFC 7159
Source of RFC: IETF - NON WORKING GROUPArea Assignment: app
Errata ID: 607
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Stéphane Bortzmeyer
Date Reported: 2007-10-17
Verifier Name: Alexey Melnikov
Date Verified: 2010-07-24
Section 2.2 says:
object = begin-object [ member *( value-separator member ) ]
end-object
It should say:
object = begin-object [ member *( value-separator member ) ]
end-object
Notes:
(edited by Alexey): Wrong indentation on the second line of the ABNF production, otherwise this is not legal ABNF.
Status: Held for Document Update (1)
RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006
Note: This RFC has been obsoleted by RFC 7159
Source of RFC: IETF - NON WORKING GROUPArea Assignment: app
Errata ID: 3607
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Bjoern Hoehrmann
Date Reported: 2013-04-27
Held for Document Update by: Barry Leiba
Date Held: 2013-05-01
Section 6 says:
A JSON text can be safely passed into JavaScript's eval() function
(which compiles and executes a string) if all the characters not
enclosed in strings are in the set of characters that form JSON
tokens. This can be quickly determined in JavaScript with two
regular expressions and calls to the test and replace methods.
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
It should say:
[OBSOLETE]
Notes:
Executing the following code in Microsoft Internet Explorer 9
var text = "\
+{ \"valueOf\": self[\"location\"],\
\"toString\": [][\"join\"],\
0: \"javascript:alert('EXPLOIT')\",\
\"length\": 1\
}"
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
results in an "alert" message of "EXPLOIT", i.e. part of the data is executed as if it was executable code, which the validation code in the RFC is supposed to rule out.
Credit is due to Stefano Di Paola's http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html article, and possibly others the reporter does not know of.
----- NOTES FROM THE DOCUMENT AUTHOR -----
That section is completely obsolete. The recommendation now is to not use eval at all, and instead use JSON.parse.
That section should be replaced entirely with language independent advice on proper encoding and decoding, including avoidance of concatenation to construct JSON texts.
----- NOTES FROM THE VERIFIER -----
The resolution of this is more involved than can be handled by errata, and a document update is planned soon... so this will be "held for document update." It's important to note that the premise is correct: the "eval()" mechanism is NOT RECOMMENDED, and this text will be entirely replaced when the document is updated.
Status: Rejected (1)
RFC 4627, "The application/json Media Type for JavaScript Object Notation (JSON)", July 2006
Note: This RFC has been obsoleted by RFC 7159
Source of RFC: IETF - NON WORKING GROUPArea Assignment: app
Errata ID: 3159
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: James S. Chi
Date Reported: 2012-03-20
Rejected by: Peter Saint-Andre
Date Rejected: 2012-03-22
Section 2.5 says:
string = quotation-mark *char quotation-mark
char = unescaped /
escape (
%x22 / ; " quotation mark U+0022
%x5C / ; \ reverse solidus U+005C
%x2F / ; / solidus U+002F
%x62 / ; b backspace U+0008
%x66 / ; f form feed U+000C
%x6E / ; n line feed U+000A
%x72 / ; r carriage return U+000D
%x74 / ; t tab U+0009
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
quotation-mark = %x22 ; "
unescaped = %x20-21 / %x23-5B / %x5D-10FFFF
It should say:
string = quotation-mark *char quotation-mark
char = unescaped /
escape (
%x22 / ; " quotation mark U+0022
%x5C / ; \ reverse solidus U+005C
%x62 / ; b backspace U+0008
%x66 / ; f form feed U+000C
%x6E / ; n line feed U+000A
%x72 / ; r carriage return U+000D
%x74 / ; t tab U+0009
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
quotation-mark = %x22 ; "
unescaped = %x20-21 / %x23-5B / %x5D-10FFFF
Notes:
There is a contradiction regarding solidus(/, %2F) character - it belongs to both escaped character and unescaped character. To solve this,delete following line:
%x2F / ; / solidus U+002F
The reason it should belong to unescaped character is clear. There's no gain by escape it.
The author has replied as follows:
There is no problem here. There is no requirement that there be a single encoding for each codepoint. "/" and "\/" are both allowed and both produce the same result. The second form was [provided] to allow insertion into HTML, where "</script>" interacts badly, but "<\/script>" does not.
Therefore, this report is rejected.
--VERIFIER NOTES--