Bug nr14 #24
Closed
Bug nr14 #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… VerifyError if different versions of Groovy is used
skip non-existent properties.
I consider it harmful that JSONUtils.quote() behaves differently when
the content of the string just so happens to look like a JavaScript
function.
While this behavior is documented, I can't think of any valid use case
for this --- if you want to produce a JavaScript function, one should
have used a JSONFunction instance, not a String that looks like a
function.
With such content sniffing, a calling application cannot safely rely on
this function. In certain situations, this can be exploited as a
vulnerability I'm building a JSON based on the user input.
The current behaviour also makes it impossible to generate a valid JSON
such as {"a":"function { something that looks like function }"}
This patch corrects this behaviour. It is a compatibility breaking
change, although I suspect hardly anyone would depend on this behaviour.
1. Upgraded dependencies to * groovy 2.1.1 * commons-lang 2.6 * junit 4.10 2. Exchange commons-logging for slf4j 3. Drop JDK3 branch, along with oro. JDK5 is the new baseline.
A bug like this seriously reduce my confidence in this library...
Upgrade Groovy, Junit and Slf4j dependencies to their latest versions before merging code from jenkinsci/json-lib
Copyright notices were updated to current year Removed e-amil from @author clause Added sortPropertyNames to XMLSerializer to keep it in sync with what Jenkinsci expects, however this setting is set to false by default (Jenkins requires it to be set to true) JsonConfig.ignorePublicFields is set to false by default; Jenkins requires this to be set to true
- reformat code and reapply license header - setup Gradle 2.0 build - rename package 'net.sf' to 'org.kordamp' - upgrade dependencies
Implemented list of elements which enforce creation of an array from it’s childs even if there is no, only one or multiple elements with different name in it. In case of different name, information gets lost but it will be done with a log warning.
Implemented enhancement #16
…itialize collections to empty
Exchanged slf4j test dependency to a test agnostic slf4j implementation which allows us to actually check the log messages. Fixed warning message not being logged.
Development
|
Changes Unknown when pulling 8a9bca6 on dervism:BugNr14 into * on aalmiray:master*. |
|
We can't take this PR as it includes more changes than the needed ones. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added test class for verifying bug nr 14. Seems to fixed. (Hackergarten Oslo)