[jira] [Commented] (CB-192) Plugins fail silently when string argument contains \x00 charachters

Mon, 23 Jan 2012 11:24:04 -0800 

    [ 
https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191368#comment-13191368
 ] 

Becky Gibson commented on CB-192:
---------------------------------

It is the nature of the JSON library that is now being used in Cordova to not 
support embedded nulls.

>From https://github.com/johnezang/JSONKit/blob/master/README.md:

   "An exception is made for the code point U+0000, which is legal Unicode. The 
reason for this is that this particular code point is used by C string handling 
code to specify the end of the string, and any such string handling code will 
incorrectly stop processing a string at the point where U+0000 occurs. Although 
reasonable people may have different opinions on this point, it is the authors 
considered opinion that the risks of permitting JSON Strings that contain 
U+0000 outweigh the benefits. One of the risks in allowing U+0000 to appear 
unaltered in a string is that it has the potential to create security problems 
by subtly altering the semantics of the string which can then be exploited by a 
malicious attacker. This is similar to the issue of arbitrarily deleting 
characters from Unicode text."

And discuss in this ticket for the JSONKit library: 
https://github.com/johnezang/JSONKit/issues/51

                
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
>                 Key: CB-192
>                 URL: https://issues.apache.org/jira/browse/CB-192
>             Project: Apache Callback
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 1.3.0
>         Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
>            Reporter: Derek Jensen
>            Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to 
> fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin 
> objective-c code
> is never called.  To see this in action, try console.log("foo\x00");

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to