> On Oct. 15, 2014, 3:26 a.m., Adam B wrote: > > LGTM, but can you include some motivation here, since there's no JIRA > > ticket to track the issue? How did you come across this? What kinds of > > issues could have arisen?
I came across this while working on: https://issues.apache.org/jira/browse/MESOS-1878 Specifically, when going to files/debug.json on a slave, I would get an output like: {"/tmp/mesos/slaves/20141007-011720-3823062160-5050-19428-0/frameworks/20141006-213342-3823062160-5050-10828-0000/executors/e8782ea2-4dbf-11e4-8cd2-fea098290027/runs/7ae91c0a-38de-4714-9086-efd97f93d2b8": "\/tmp\/mesos\/slaves\/20141007-011720-3823062160-5050-19428-0\/frameworks\/20141006-213342-3823062160-5050-10828-0000\/executors\/e8782ea2-4dbf-11e4-8cd2-fea098290027\/runs\/7ae91c0a-38de-4714-9086-efd97f93d2b8"} Where it is hard to tell the left and right are the same, and it is clear the right has been escaped but the left hasn't. An issue would arise in 'browse.json' if inside of an attached folder a file named '"' exists (ex, by running `touch \"`), the JSON returned from browsing the directory would be illegal, which would break the JSON parser recieving the results. It would also be possible for an individual to craft a file name in that instance which could potentially exploit anything which works on the data being returned from browse.json Anywere we return / generate JSON objects though this could be an issue. I'm just not familiar with other places. - Cody ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/26723/#review56644 ----------------------------------------------------------- On Oct. 15, 2014, 1:12 a.m., Cody Maloney wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/26723/ > ----------------------------------------------------------- > > (Updated Oct. 15, 2014, 1:12 a.m.) > > > Review request for mesos and Adam B. > > > Repository: mesos-git > > > Description > ------- > > All strings in JSON need to be escaped, including the keys in dictionaries / > objects. > > > Diffs > ----- > > 3rdparty/libprocess/3rdparty/stout/include/stout/json.hpp > 719aa964a536cf02dbd2de440157de487ec703b1 > > Diff: https://reviews.apache.org/r/26723/diff/ > > > Testing > ------- > > make distcheck > > > Thanks, > > Cody Maloney > >
