[jose] JSON parsing pitfalls

Wed, 18 Jul 2012 06:41:05 -0700 

I noticed the other day a widespread flaw in JSON parsers that makes JSON 
parsing a lossy operation.  I haven't worked out the implications, but it seems 
worth thinking about, so I thought I would run it by the group.

The problem is that JSON does not require that field names MUST be unique, only 
that they SHOULD.  From RFC 4627:
"
   An object structure is represented as a pair of curly brackets
   surrounding zero or more name/value pairs (or members).  A name is a
   string.  A single colon comes after each name, separating the name
   from the value.  A single comma separates a value from a following
   name.  The names within an object SHOULD be unique.
"

Unfortunately, most JSON parsers are parsing into object constructs where each 
field name references only one value.  However, they will happily parse JSON 
objects containing redundant fields -- they just set each field value to the 
last value they saw for that name.  So for example, if we parse the following 
object ...
{ "foo": 1, "bar": 2, "foo": "This above all: to thine own self be true." }
... then most parsers will return an object with two fields, which would 
stringify to the following:
{ "foo": "This above all: to thine own self be true.", "bar": 2 }
A demonstration in four languages is at the bottom of this message.  

Like I said at the top, I'm not sure exactly what the implications of this 
ambiguity are for this protocol.  Thoughts?

--Richard




-----BEGIN json-error.sh-----
#!/bin/bash

BADHEADER='{"typ":"JWT", "alg":"HS256", "alg":"hmac-md5"}'

###### Python
python <<EOF
import json
str = '$BADHEADER'
obj = json.loads(str)
print obj
EOF

###### Perl
perl <<EOF
use JSON qw(to_json from_json);
\$str = '$BADHEADER';
\$obj = from_json(\$str);
printf "%s\n", to_json(\$obj);
EOF

###### Javascript (NodeJS / JSC)
node <<EOF
var str = '$BADHEADER';
var obj = JSON.parse(str);
console.log(JSON.stringify(obj));
EOF

###### PHP 
php <<EOF
<?
\$str = '$BADHEADER';
\$obj = json_decode(\$str);
echo json_encode(\$obj) . "\n";
?>
EOF
-----END json-error.sh-----
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to