error upon encountering escaped u+0000 to prevent malicious json

2011-07-26 13:34:15 -07:00 · 2011-07-26 13:34:15 -07:00 · 0507dc38dc
commit 0507dc38dc
parent ed71ce7b7f
1 changed files with 4 additions and 0 deletions
--- a/src/jsx_decoder.hrl
+++ b/src/jsx_decoder.hrl
@ -468,6 +468,10 @@ escaped_unicode(<<D/?utfx, Rest/binary>>, Stack, Opts, String, [C, B, A])
        %% non-characters, you're not allowed to exchange these
        ; X when X == 16#fffe; X == 16#ffff ->
            {error, {badjson, <<D/?utfx, Rest/binary>>}}
+        %% allowing interchange of null bytes allows attackers to forge
+        %%   malicious streams
+        ; X when X == 16#0000 ->
+            {error, {badjson, <<D/?utfx, Rest/binary>>}}
        %% anything else
        ; X ->
            string(Rest, Stack, Opts, <<String/binary, X/utf8>>)