1601Re: [json] Re: JSON and the Unicode Standard
- Feb 26, 2011On Fri, Feb 25, 2011 at 8:01 PM, johne_ganz <john.engelhart@...> wrote:
> --- In email@example.com, Tatu Saloranta <tsaloranta@...> wrote:...
> I have not seen a JSON implementation / parser that does such normalization.Yes.
> On the other hand, I very strongly suspect that whether or not such normalization is taking place is not up to the writer of that parser. In
> my particular case (JSONKit, for Objective-C), I pass the parsed JSON String to the NSString class to instantiate an object.Ok. But in this case, would JSON specification itself help a lot? I
> I have ZERO control over what and how NSString interprets or manipulates the parsed JSON String that finally becomes the instantiated object that ostensibly the same as the original JSON String used to create it. It could be that NSString decides that the instantiated object is
> always converted to its precomposed form. Objective-C is flexible enough where someone might decide to swizzle in some logic at run time that forces all strings to be precomposed before being handed off to the main NSString instantiation method.
understand that this is problematic, in that different platforms can
choose different default (and possible opaque dealing).
> I don't have a particular opinion on the matter one way or the other other than to highlight the point that in many practical, real-world situations, whether or not such things take place may not be under the control of the JSON parser.Right. And if specification says nothing, it can uncover real
> I also suspect that it's one of those things that most people haven't really given a whole lot of consideration to- they just had the parsed string over to "the Unicode string handling code", and that's that. Most people may not realize that such string handling code may subtly alter the original Unicode text as a result (ala precomposing the string).
complexities and ambiguities.
>> to tackle such complexity). While it would seem wrong to punt theI would be interested in how you would see this leading to security
>> issue, there is the practical question of whether full solution would
> I can guarantee you that the practical question of whether a full solution would matter will be answered the first time someone exploits it in a security vulnerable way that results in a major security fiasco.
issues, outside of problems specific String handling on platforms has.
Or are you equally concerned in general about parser implementation
quality (which is understandable), above and beyond question of what
JSON specification says? At least to me it would seem more likely that
issues would be outside of realm of core specification itself.
> Then it will be with 20/20 hindsight, and the question will be "Why didn't anyone address (this behavior) that allowed two keys that were not bit for bit identical, but became identical after converting them to their precomposed form, and the security checks allowed theI can see how this can be problematic from side of applications that
> decomposed form through because it assumed that everything was in precomposed form?"
make assumptions on uniqueness. And also that it is important that
parsers will clearly define how they handle things -- not all parsers
necessarily even check for uniqueness for same byte patterns, much
less for normalization (and I think this is even allowed by the spec,
i.e. uniqueness checks are not mandated).
So in a way, it would be useful to have bit more concrete examples of
known practical issues. Links below may give some insight -- but it
would seem that they are typically platform specific. Which makes it
even harder to find shared solutions, or to recommend best practices.
> Unfortunately, the use of Unicode coupled with the fact that most JSON implementations are dependent on external code for their Unicode support means that this is an extremely non-trivial issue. I can't think of a simple solution to the problem at the moment, other than it exists....
> You really ought to read:Thank you. While I had heard about issues with request to
> Microsoft Security Bulletin (MS00-078): Patch Available for 'Web Server Folder Traversal' Vulnerability (http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884)
> Creating Arbitrary Shellcode In Unicode Expanded Strings (http://www.net-security.org/article.php?id=144)
> There's a long history of "Those little Unicode details aren't really important" causing huge security problems later on.
non-canonical UTF-8 code sequences (which were discussed to have such
issues), I admit I had not heard much about issue regarding
-+ Tatu +-
- << Previous post in topic Next post in topic >>