From 0507dc38dc589e87bd8217ef78d3cddc2886597a Mon Sep 17 00:00:00 2001 From: alisdair sullivan Date: Tue, 26 Jul 2011 13:34:15 -0700 Subject: [PATCH] error upon encountering escaped u+0000 to prevent malicious json --- src/jsx_decoder.hrl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/jsx_decoder.hrl b/src/jsx_decoder.hrl index 0a893fa..5bccbab 100644 --- a/src/jsx_decoder.hrl +++ b/src/jsx_decoder.hrl @@ -468,6 +468,10 @@ escaped_unicode(<>, Stack, Opts, String, [C, B, A]) %% non-characters, you're not allowed to exchange these ; X when X == 16#fffe; X == 16#ffff -> {error, {badjson, <>}} + %% allowing interchange of null bytes allows attackers to forge + %% malicious streams + ; X when X == 16#0000 -> + {error, {badjson, <>}} %% anything else ; X -> string(Rest, Stack, Opts, <>)