On 5/1/07, Konstantin Ryabitsev <[EMAIL PROTECTED]> wrote: > > Hello: > > Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 > in the 1.3.1 branch? >
Nope. It's not a real security issue, not with MochiKit anyway. The recommended "fix" would mean supporting some junk that's not JSON anymore. I've already caved and put said support on the trunk just so people would shut up about the issue, but I'm certainly not going to make a maintenance release to "fix" this non-issue. Ensuring that your server only sends JSON when properly authenticated, or otherwise sending only non-exploitable JSON (e.g. JSON with an object envelope) is the only solution to this problem. Only a very small subset of JSON, specifically [array, envelope, json] is susceptible to this data leakage attack. Don't send that stuff on the server-side, and there is no problem. Most people don't send array envelope JSON anyhow. Either way, totally irrelevant to the client-side. It's like saying that we should fix browsers so that they can't be used to mount a SQL injection attack on a poorly written service. -bob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "MochiKit" group. To post to this group, send email to mochikit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~----------~----~----~----~------~----~------~--~---