Content-Length: 325492 | pFad | http://github.com/python/cpython/issues/125660

EC Python implementation of `json.loads()` accepts invalid unicode escapes · Issue #125660 · python/cpython · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python implementation of json.loads() accepts invalid unicode escapes #125660

Closed
nineteendo opened this issue Oct 17, 2024 · 6 comments
Closed

Python implementation of json.loads() accepts invalid unicode escapes #125660

nineteendo opened this issue Oct 17, 2024 · 6 comments
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@nineteendo
Copy link
Contributor

nineteendo commented Oct 17, 2024
edited by serhiy-storchaka
Loading

Bug report

Bug description:

While reviewing #125652 and reading the documentation of int(), I realised this condition in json.decoder is insufficient:

cpython/Lib/json/decoder.py

Line 61 in f203d1c

if len(esc) == 4 and esc[1] not in 'xX': 

>>> import sys
>>> sys.modules["_json"] = None
>>> import json
>>> json.loads(r'["\u 000", "\u-000", "\u+000", "\u0_00"]')
['\x00', '\x00', '\x00', '\x00']

CPython versions tested on:

3.13

Operating systems tested on:

macOS

Linked PRs
@nineteendo nineteendo added the type-bug An unexpected behavior, bug, or error label Oct 17, 2024
@nineteendo
Copy link
Contributor Author

cc @serhiy-storchaka

@nineteendo
Copy link
Contributor Author

Maybe something like this? Although it might be a better idea to use a stricter function.

esc = s[end:end + 4].strip()
if "_" not in esc and len(esc) == 4 and esc[0] not in "+-" and esc[1] not in "xX":

@Eclips4 Eclips4 added the stdlib Python modules in the Lib dir label Oct 17, 2024
@serhiy-storchaka
Copy link
Member

Either this, or simply use regexp.

@nineteendo
Copy link
Contributor Author

Let's use a regex, unicode digits aren't allowed either:

>>> int("\uff10", 16)
0

@bedevere-app bedevere-app bot mentioned this issue Oct 18, 2024
Merged
@nineteendo
Copy link
Contributor Author

Could there be other code that suffers from this problem?

@taleinat
Copy link
Contributor

Could there be other code that suffers from this problem?

Possibly, but that's out of context for this issue. If someone finds such issues they should be reported separately.

serhiy-storchaka pushed a commit that referenced this issue Oct 18, 2024
@nineteendo
gh-125660: Reject invalid unicode escapes for Python implementation o…
df75136 
…f JSON decoder (GH-125683)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 18, 2024
@nineteendo @miss-islington
pythongh-125660: Reject invalid unicode escapes for Python implementa…
025b9e8 
…tion of JSON decoder (pythonGH-125683)

(cherry picked from commit df75136)

Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 18, 2024
@nineteendo @miss-islington
pythongh-125660: Reject invalid unicode escapes for Python implementa…
49905fb 
…tion of JSON decoder (pythonGH-125683)

(cherry picked from commit df75136)

Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
This was referenced Oct 18, 2024
Merged
Merged
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue Oct 19, 2024
@serhiy-storchaka
pythongh-125660: Enable setting persistent_id and persistent_load of …
322e2aa 
…pickler and unpickler

pickle.Pickler and pickle.Unpickler instances have now managed dicts.
Arbitrary instance attributes, including persistent_id and persistent_load,
can now be set.
@bedevere-app bedevere-app bot mentioned this issue Oct 19, 2024
Closed
serhiy-storchaka pushed a commit that referenced this issue Oct 21, 2024
@miss-islington @nineteendo
[3.13] gh-125660: Reject invalid unicode escapes for Python implement…
d9dafc7 
…ation of JSON decoder (GH-125683) (GH-125694)

(cherry picked from commit df75136)

Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
serhiy-storchaka pushed a commit that referenced this issue Oct 21, 2024
@miss-islington @nineteendo
[3.12] gh-125660: Reject invalid unicode escapes for Python implement…
2746ec4 
…ation of JSON decoder (GH-125683) (GH-125695)

(cherry picked from commit df75136)

Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@nineteendo @ebonnal
pythongh-125660: Reject invalid unicode escapes for Python implementa…
a05b129 
…tion of JSON decoder (pythonGH-125683)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
Projects
JSON issues
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@taleinat @serhiy-storchaka @nineteendo @Eclips4








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/python/cpython/issues/125660

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy