Skip to content
This repository has been archived by the owner on Sep 19, 2018. It is now read-only.

Should there be any "validation" on the unicode escape characters in the JSONParser? #63

Closed
hitsvilleusa opened this issue Oct 28, 2015 · 4 comments
Closed

Should there be any "validation" on the unicode escape characters in the JSONParser? #63

hitsvilleusa opened this issue Oct 28, 2015 · 4 comments
Labels
bug
Milestone
Future

Comments

@hitsvilleusa
Copy link
Contributor

I tried the following string in both Apple's parser and the JSONParser here "A\u0000B".

Apple's gives back the string: "AB"
BNR's gives back the string: "A"

Not sure which is right. Not sure if there is any security vulnerability with illegal unicode characters.

Simply wanted to document the difference.
@zwaldowski zwaldowski modified the milestone: Next Oct 30, 2015
@zwaldowski
Copy link
Contributor

In this case, \u0000 is actually the null byte. Our use of String.withCString is causing this, and would naturally be mitigated if we even moved to a different method.

Other Unicode validation might be out-of-scope; however, the stdlib's public Unicode handling types do perform such validation.

@jgallagher jgallagher added bug and removed question labels Feb 1, 2016
@zwaldowski
Copy link
Contributor

Loosely linked to #142 and all "not using withCString" issues.

@zwaldowski zwaldowski modified the milestones: Future, 2.1 Mar 23, 2016
@zwaldowski
Copy link
Contributor

As such, punting from the 2.1 milestone. I don't trust building a new string parser right now; numbers is enough for one release.

@jgallagher jgallagher mentioned this issue Aug 30, 2016
Closed
@zwaldowski
Copy link
Contributor

Closing due to inactivity and the general state of the repo.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Future
Development

No branches or pull requests
3 participants
@hitsvilleusa @zwaldowski @jgallagher