Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-Cpanel-JSON-XS for
openSUSE:Factory checked in at 2026-06-10 16:14:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Cpanel-JSON-XS (Old)
and /work/SRC/openSUSE:Factory/.perl-Cpanel-JSON-XS.new.2375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Cpanel-JSON-XS"
Wed Jun 10 16:14:39 2026 rev:44 rq:1358526 version:4.420.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-Cpanel-JSON-XS/perl-Cpanel-JSON-XS.changes
2026-06-05 17:45:25.062748039 +0200
+++
/work/SRC/openSUSE:Factory/.perl-Cpanel-JSON-XS.new.2375/perl-Cpanel-JSON-XS.changes
2026-06-10 16:18:49.492548348 +0200
@@ -1,0 +2,37 @@
+Mon Jun 8 09:55:43 UTC 2026 - Tina Müller <[email protected]>
+
+- updated to 4.420.0 (4.42)
+ see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
+
+ 4.42 2026-06-27 (rurban)
+ - Ensure encode with a type spec hashref does not change the hashref
argument (GH #240)
+ - Fix -e docs: "written" → "read" (GH #239, reported by Ron Savage).
+ - Fix Boolean eq overload matching undef (GH #207, reported by fd-t).
+ Cpanel::JSON::XS::Boolean overloaded eq would match undef as equal
+ to false because undef stringifies to "". Added defined() guard.
+ - Fix error messages showing overloaded stringification for blessed
+ objects (GH #191, reported by karenetheridge). Error messages now
+ use ClassName=TYPE(addr) format, bypassing any "" overload.
+ - Fix type_all_string overriding allow_blessed/convert_blessed (GH
#175,
+ reported by alpha6). With type_all_string + allow_blessed, blessed
+ objects are now encoded as null (not stringified as HASH address).
+ - Fix infinite recursion when encode is called from a "" overload
+ (GH #128, reported by pbrthemaster). The recursion guard
temporarily
+ clears convert_blessed and allow_stringify flags on the JSON object
+ before calling the overload, preventing re-entrant encode loops.
+ - Fix $obj->new creating a broken object (GH #93, reported by
cpansprout).
+ When new() is called on an existing object (e.g. $json->new->new),
+ the class name is now extracted from the object's stash rather than
+ using the stringified reference.
+ - Change allow_nonref default to true (GH #241, matching JSON::PP and
+ JSON::XS 4.0+ and the insecure RFC 7159).
+ encode and decode now accept non-reference values by default.
+ decode_json() with an explicit 0/1 second argument still works.
+ allow_nonref(0) to disable scalars-only for secure JSON.
+ - Fix minor t/12_blessed.t typo.
+ - Fix GH #112: encode large whole-number NV values without .0 on
+ 32-bit Perl (values exceeding UV_MAX that Perl stores as float).
+ - Fix GH #197: prefer IOK over pNOK when encoding values where
+ IV is accurate but NV is imprecise (SvNOK not set).
+
+-------------------------------------------------------------------
Old:
----
Cpanel-JSON-XS-4.41.tar.gz
New:
----
Cpanel-JSON-XS-4.42.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-Cpanel-JSON-XS.spec ++++++
--- /var/tmp/diff_new_pack.zEmw9q/_old 2026-06-10 16:18:50.632595591 +0200
+++ /var/tmp/diff_new_pack.zEmw9q/_new 2026-06-10 16:18:50.632595591 +0200
@@ -18,10 +18,10 @@
%define cpan_name Cpanel-JSON-XS
Name: perl-Cpanel-JSON-XS
-Version: 4.410.0
+Version: 4.420.0
Release: 0
-# 4.41 -> normalize -> 4.410.0
-%define cpan_version 4.41
+# 4.42 -> normalize -> 4.420.0
+%define cpan_version 4.42
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: CPanel fork of JSON::XS, fast and correct serializing
URL: https://metacpan.org/release/%{cpan_name}
++++++ Cpanel-JSON-XS-4.41.tar.gz -> Cpanel-JSON-XS-4.42.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/.github/workflows/testsuite.yml
new/Cpanel-JSON-XS-4.42/.github/workflows/testsuite.yml
--- old/Cpanel-JSON-XS-4.41/.github/workflows/testsuite.yml 2026-05-27
20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/.github/workflows/testsuite.yml 2026-06-06
15:29:25.000000000 +0200
@@ -22,7 +22,7 @@
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
- run: perl -V
- name: install cpan deps
- uses:
perl-actions/install-with-cpm@b7eeb5ea204d9c9bd434e01162ae97629cf7fa36 # v2.4
+ uses:
perl-actions/install-with-cpanm@0f3cc9bc0b055cc20750d218061ebbdebd101bb3 #
stable
with:
install: |
Data::Dumper
@@ -91,9 +91,8 @@
perl-version: ${{ matrix.perl-version }}
- run: perl -V
- name: install cpan deps
- uses:
perl-actions/install-with-cpm@b7eeb5ea204d9c9bd434e01162ae97629cf7fa36 # v2.4
+ uses:
perl-actions/install-with-cpanm@0f3cc9bc0b055cc20750d218061ebbdebd101bb3 #
stable
with:
- sudo: false
install: |
Data::Dumper
Devel::Peek
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/Changes
new/Cpanel-JSON-XS-4.42/Changes
--- old/Cpanel-JSON-XS-4.41/Changes 2026-05-27 20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/Changes 2026-06-07 11:21:08.000000000 +0200
@@ -2,6 +2,37 @@
TODO: http://stevehanov.ca/blog/index.php?id=104 compression
+4.42 2026-06-27 (rurban)
+ - Ensure encode with a type spec hashref does not change the hashref
argument (GH #240)
+ - Fix -e docs: "written" → "read" (GH #239, reported by Ron Savage).
+ - Fix Boolean eq overload matching undef (GH #207, reported by fd-t).
+ Cpanel::JSON::XS::Boolean overloaded eq would match undef as equal
+ to false because undef stringifies to "". Added defined() guard.
+ - Fix error messages showing overloaded stringification for blessed
+ objects (GH #191, reported by karenetheridge). Error messages now
+ use ClassName=TYPE(addr) format, bypassing any "" overload.
+ - Fix type_all_string overriding allow_blessed/convert_blessed (GH
#175,
+ reported by alpha6). With type_all_string + allow_blessed, blessed
+ objects are now encoded as null (not stringified as HASH address).
+ - Fix infinite recursion when encode is called from a "" overload
+ (GH #128, reported by pbrthemaster). The recursion guard temporarily
+ clears convert_blessed and allow_stringify flags on the JSON object
+ before calling the overload, preventing re-entrant encode loops.
+ - Fix $obj->new creating a broken object (GH #93, reported by
cpansprout).
+ When new() is called on an existing object (e.g. $json->new->new),
+ the class name is now extracted from the object's stash rather than
+ using the stringified reference.
+ - Change allow_nonref default to true (GH #241, matching JSON::PP and
+ JSON::XS 4.0+ and the insecure RFC 7159).
+ encode and decode now accept non-reference values by default.
+ decode_json() with an explicit 0/1 second argument still works.
+ allow_nonref(0) to disable scalars-only for secure JSON.
+ - Fix minor t/12_blessed.t typo.
+ - Fix GH #112: encode large whole-number NV values without .0 on
+ 32-bit Perl (values exceeding UV_MAX that Perl stores as float).
+ - Fix GH #197: prefer IOK over pNOK when encoding values where
+ IV is accurate but NV is imprecise (SvNOK not set).
+
4.41 2026-05-27 (rurban)
- Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516) (patch by Paul
Johnson)
- Fix dupkeys_as_arrayref type confusion (CVE-2026-9334) (patch by
Paul Johnson)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/MANIFEST
new/Cpanel-JSON-XS-4.42/MANIFEST
--- old/Cpanel-JSON-XS-4.41/MANIFEST 2026-05-27 20:00:40.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/MANIFEST 2026-06-07 11:21:49.000000000 +0200
@@ -45,6 +45,7 @@
t/11_pc_expo.t
t/120_type_all_string.t
t/121_memleak.t
+t/122_type_encode.t
t/125_shared_boolean.t
t/12_blessed.t
t/13_limit.t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/META.json
new/Cpanel-JSON-XS-4.42/META.json
--- old/Cpanel-JSON-XS-4.41/META.json 2026-05-27 20:00:40.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/META.json 2026-06-07 11:21:49.000000000 +0200
@@ -100,7 +100,7 @@
"url" : "https://github.com/rurban/Cpanel-JSON-XS";
}
},
- "version" : "4.41",
+ "version" : "4.42",
"x_contributors" : [
"Ashley Willis <[email protected]>",
"Chip Salzenberg <[email protected]>",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/META.yml
new/Cpanel-JSON-XS-4.42/META.yml
--- old/Cpanel-JSON-XS-4.41/META.yml 2026-05-27 20:00:39.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/META.yml 2026-06-07 11:21:48.000000000 +0200
@@ -48,7 +48,7 @@
bugtracker: https://github.com/rurban/Cpanel-JSON-XS/issues
license: http://dev.perl.org/licenses/
repository: https://github.com/rurban/Cpanel-JSON-XS
-version: '4.41'
+version: '4.42'
x_contributors:
- 'Ashley Willis <[email protected]>'
- 'Chip Salzenberg <[email protected]>'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/README
new/Cpanel-JSON-XS-4.42/README
--- old/Cpanel-JSON-XS-4.41/README 2026-05-27 20:00:43.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/README 2026-06-07 11:21:52.000000000 +0200
@@ -230,12 +230,12 @@
3.0116 and JSON::XS did not set allow_nonref but allowed them due to
a bug in the decoder.
- If the new 2nd optional $allow_nonref argument is set and not false,
- the "allow_nonref" option will be set and the function will act is
- described as in the relaxed RFC 7159 allowing all values such as
- objects, arrays, strings, numbers, "null", "true", and "false". See
- ""OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)" below, why you don't
- want to do that.
+ Since version 4.42, "allow_nonref" is enabled by default, matching
+ JSON::XS 4.0+. The 2nd optional $allow_nonref argument can be set to
+ false (0) to disable it. When enabled, the function accepts all JSON
+ values: objects, arrays, strings, numbers, "null", "true", and
+ "false". See ""OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)" for why
+ you might not want this.
For the 3rd optional type argument see Cpanel::JSON::XS::Type.
@@ -709,16 +709,19 @@
null JSON value, which is an extension to RFC4627. Likewise,
"decode" will accept those JSON values instead of croaking.
- If $enable is false, then the "encode" method will croak if it isn't
- passed an arrayref or hashref, as JSON texts must either be an
- object or array. Likewise, "decode" will croak if given something
- that is not a JSON object or array.
-
- Example, encode a Perl scalar as JSON value with enabled
- "allow_nonref", resulting in an invalid JSON text:
-
- Cpanel::JSON::XS->new->allow_nonref->encode ("Hello, World!")
- => "Hello, World!"
+ This option is now enabled by default (since version 4.42), matching
+ the behavior of JSON::XS 4.0+ and the broken RFC 7159. JSON texts
+ consisting of a bare scalar (string, number, "true", "false",
+ "null") are accepted by "encode" and "decode" without explicitly
+ requesting it. If you need strict RFC 4627 compliance, you must
+ explicitly disable it:
+
+ Cpanel::JSON::XS->new->allow_nonref(0);
+
+ When disabled, "encode" will croak if it isn't passed an arrayref or
+ hashref, as JSON texts must either be an object or array. Likewise,
+ "decode" will croak if given something that is not a JSON object or
+ array.
$json = $json->allow_unknown ([$enable])
$enabled = $json->get_allow_unknown
@@ -774,6 +777,12 @@
of used Perl version and other modules, but do not want to write
complicated type definitions for Cpanel::JSON::XS::Type.
+ When combined with "allow_blessed" and/or "convert_blessed", blessed
+ objects are handled by those options first, not stringified by
+ "type_all_string". For example, with "allow_blessed +
+ type_all_string", blessed objects are encoded as the JSON value
+ "null" (not "null").
+
$json = $json->allow_dupkeys ([$enable])
$enabled = $json->get_allow_dupkeys
If $enable is true (or missing), then the "decode" method will not
@@ -2086,43 +2095,54 @@
Mojo::JSON special escape rules to prevent from XSS attacks.
"OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)
- TL;DR: Due to security concerns, Cpanel::JSON::XS will not allow scalar
- data in JSON texts by default - you need to create your own
- Cpanel::JSON::XS object and enable "allow_nonref":
-
- my $json = JSON::XS->new->allow_nonref;
-
- $text = $json->encode ($data);
- $data = $json->decode ($text);
+ Note: Since version 4.42, Cpanel::JSON::XS defaults to the broken RFC
+ 7159 behavior (like JSON::XS 4.0+), accepting scalar top-level JSON
+ values without requiring "allow_nonref". This was done for compatibility
+ with the larger Perl JSON ecosystem, despite the security concerns
+ outlined below.
+
+ If you rely on the old strict behavior, explicitly disable it:
+
+ my $json = Cpanel::JSON::XS->new->allow_nonref(0);
+
+ The rationale for the original (pre-4.42) default, and the reason you
+ might want to keep it off, follows:
+
+ TL;DR: The original JSON RFC 4627 required JSON texts to be arrays or
+ objects. The IETF later standardized a broken revision (RFC 7159) that
+ allows bare scalars at top-level, opening a class of protocol confusion
+ attacks.
The long version: JSON being an important and supposedly stable format,
the IETF standardized it as RFC 4627 in 2006. Unfortunately the inventor
of JSON Douglas Crockford unilaterally changed the definition of JSON in
javascript. Rather than create a fork, the IETF decided to standardize
- the new syntax (apparently, so I as told, without finding it very
+ the new syntax (apparently, so I was told, without finding it very
amusing).
The biggest difference between the original JSON and the new JSON is
that the new JSON supports scalars (anything other than arrays and
objects) at the top-level of a JSON text. While this is strictly
- backwards compatible to older versions, it breaks a number of protocols
- that relied on sending JSON back-to-back, and is a minor security
+ backwards compatible the top-level of a JSON text. While this is
+ supposedly backwards compatible to older versions, it breaks a number of
+ protocols that relied on sending JSON back-to-back, and is a security
concern.
For example, imagine you have two banks communicating, and on one side,
the JSON coder gets upgraded. Two messages, such as 10 and 1000 might
- then be confused to mean 101000, something that couldn't happen in the
+ then be confused to mean 101000, something that could not happen in the
original JSON, because neither of these messages would be valid JSON.
If one side accepts these messages, then an upgrade in the coder on
either side could result in this becoming exploitable.
- This module has always allowed these messages as an optional extension,
- by default disabled. The security concerns are the reason why the
- default is still disabled, but future versions might/will likely upgrade
- to the newer RFC as default format, so you are advised to check your
- implementation and/or override the default with "->allow_nonref (0)" to
- ensure that future versions are safe.
+ The IETF's own I-JSON profile (RFC 7493, also edited by Tim Bray who
+ authored RFC 7159) acknowledges this mistake: Section 4.1 states that
+ "there are software implementations, coded to the older specification
+ [RFC4627], which only accept JSON objects or JSON arrays at the top
+ level of JSON texts. For maximum interoperability with such
+ implementations, protocol designers SHOULD NOT use top-level JSON texts
+ that are neither objects nor arrays."
THREADS
Cpanel::JSON::XS has proper ithreads support, unlike JSON::XS. If you
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/SIGNATURE
new/Cpanel-JSON-XS-4.42/SIGNATURE
--- old/Cpanel-JSON-XS-4.41/SIGNATURE 2026-05-27 20:00:41.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/SIGNATURE 2026-06-07 11:21:50.000000000 +0200
@@ -16,75 +16,76 @@
SHA256 aac2b4bbaa7b93eaf72300f60e167a17e05adcd721087f735ba55d2900f31490
.appveyor.yml
SHA256 082201a3cbd62a55f2e58ffbb991c4b2bb806de0009bc9497ffcc07202f60855
.github/FUNDING.yml
-SHA256 a7081377424ff33494fd0e7fad1ce807657b29794dcca9dd238f30465579dad1
.github/workflows/testsuite.yml
+SHA256 11fc0845019f9b726678214fd5518ca540bd1e29d0c888273b3130064c49058c
.github/workflows/testsuite.yml
SHA256 a3c34aba52e269e6cec558ecf9cff393138574189fdff26b183bee9cc2e0434f
.travis.yml
SHA256 c3f2a1a4f66382f796f71a571946722edba53cf3238152b26fd325f4c2f1a20f
.whitesource
SHA256 8de3540a3cd7ecc9a9dcb48975fe852c082fe17d4462f87bb72aa7cc47f083ad COPYING
-SHA256 5f125d9df9f2de624ecb1de0f26f820e4b940c78d4fbbb52a22c849e57740e2e Changes
-SHA256 a5378ebe65273d49047a21e94af087f70a303793ffed2a695c800ed965ac185d
MANIFEST
-SHA256 2a1d33955bd96ad9effd5f0ec39d589ecb51b0c08a11c196567979ca8a85899e
META.json
-SHA256 f7714a74c855e188aa85d5422a1438ff469796876a833a128cea8661684f641f
META.yml
+SHA256 be3f388b6a8bf299a8271f167c2615d6a9005b8eb7784af54a9e2df7be5eebe2 Changes
+SHA256 b3cb3d4cd7c060581c927563a6663c0a516b215d3b5ee073f1201f851e6d2733
MANIFEST
+SHA256 0a6b0cfda6d774d4636375bd10079a7370c8880b2d75836661b4dffb94182aec
META.json
+SHA256 65076dc85812420d68b64ca256162ba9376528f6cef4c86d1c538c4bb184a7ef
META.yml
SHA256 0fc7078919ff510137a654acc66bd68c971786cafd8ee621afae6d99321df4bb
Makefile.PL
-SHA256 c62f5a06dffaa850fe7d55cad1c5ce3fbdb5504031b73b6043aa2974708c9293 README
-SHA256 e7b813bc4beea51b9ad2bb35c5a97f22f103b01d1274e6f1b5b03711e857e927 XS.pm
-SHA256 1fd3cedb5e734964e9410b452c50858df494924994fcee092f0921e13aea6766 XS.xs
+SHA256 1d2228bc44b3a5ce3b156511447b8b7086db6f5e926c6903bd550716a40a301e README
+SHA256 98c79493c7b5c6f046d05d818dffbd736be66f84dcfc3b278d2a9a906595e14d XS.pm
+SHA256 18747e9d9bd2b3c5bb514e5b63dbf0e16b89a992399290aede2ca9a94c099bc1 XS.xs
SHA256 c95e4b970183cbd6d1ec9c88c37a80f12bd2b66ed6be3c008ffd578d2f622c01
XS/Boolean.pm
SHA256 20596259e7e399ed1984a469a9a907be878499406d5285a11f1ab98f93aff44f
XS/Type.pm
-SHA256 2f34a530b7ce981b0df9aacd2b6944ccf74c4a7f8bb49fde57b342663e7feb26
bin/cpanel_json_xs
+SHA256 adca185de1f64d9861a3863ce44a3c3ac33fa478b0cb56a0aa309b8e40bcb577
bin/cpanel_json_xs
SHA256 0d188abe82c2270e7bc5fc21de1d8210bfc52118a834b22592781bb2879a6065
eg/bench
SHA256 3290077eba2e57ff1d2bf46c2a7d34a3b9c7f9b24fe517a3943430f5720da95f
ppport.h
-SHA256 8bd5ef4d15ed3a9b2e641cc04549d6eed1532c86bba907e2b035d80c8dd5ac2c
t/00_load.t
-SHA256 0cefac61a4f61481fb66be51997b99b0e6da84f62b4976686d9ef87284ca5378
t/01_utf8.t
-SHA256 03fc2d9f0c948bba46a1d3b6ee6b5ebae233341fc4a9a70b03acd34d93c3b8c3
t/02_error.t
-SHA256 e02e3fc388734af0fb8f7b8c8ebe4163ba4cfe5db94cc46b67776db0774ac716
t/03_types.t
-SHA256 36a9a87f4e143077195add1e8d931ff49d7e71f93f66326def22703158c268e1
t/04_dwiw_encode.t
-SHA256 9317a15e310457888e161acc67abf0ac62b54b5bcbcdedcdcf5b48f90b19081f
t/05_dwiw_decode.t
+SHA256 78af8a6467f6c970c3a91a95827dfa64c4be5d602a9c38f6d37ed8c4b1f18c31
t/00_load.t
+SHA256 d35157f392fefb187cbe7d1be5274b39d0a699c7f19d9b4cca4a2e4ed32cb0bd
t/01_utf8.t
+SHA256 5b175ad638ff7c88ecaabc0a8b33175301e674a805338076b53a5421eea5804d
t/02_error.t
+SHA256 9d5f532b012e5b0d78a7525bf5a3bd8917bc2546065d470418e2f2c40fe49793
t/03_types.t
+SHA256 992b4d79acd02c01f6d85ce84e1e3f9cf50a329458e39a146d795862aeee6a2d
t/04_dwiw_encode.t
+SHA256 1733948cc557aee7f5bbc9bf14ca903f7dc85521227632dcfa23074e6905201c
t/05_dwiw_decode.t
SHA256 bb0e3fd5284ef5736559dc2331692d1876f92256735662f170b7b6dc00d5b2a2
t/06_pc_pretty.t
SHA256 96001d4b9c784e7f353c4ddbe673846a463166b7d6450d917003d12eaeee0eaf
t/07_pc_esc.t
SHA256 152905d54a0522b2a0b5da857ce79464f681a41bd44631449f8a054e1479d17c
t/08_pc_base.t
SHA256 a1f1a89222f579fa314afe34709cd6c948cc97581eedda63041bf66a71ad03d2
t/08_pc_base_nv.t
SHA256 e88b03d3c8c5c85d4fc2c086848efd7d0fd7b69f839cf0936a698af77a7a59b8
t/09_pc_extra_number.t
SHA256 f177821982876d02403298d44ffe4e2193fdcd70b76da252b055f3eab8dd3cdf
t/104_sortby.t
-SHA256 e8bf435b08bfd00e6ab7f278c6ce68ef8691011b80615fa372961f2d807f5c76
t/105_esc_slash.t
+SHA256 0867a9d5507c842040ba60b056259c68794c98db747188aa76dcf6667888099e
t/105_esc_slash.t
SHA256 d633b016ec1e792b84d4f53ac75166953a95298328185aaa08932dc7236a929b
t/106_allow_barekey.t
SHA256 16f34295a33f59b8fe7a4f70b701df03fc866d77eac300ca0503a98875675569
t/107_allow_singlequote.t
SHA256 f2047975a3b8392feb6a87d782ecc7746ae2117bde57f716cc90877c8850f2e0
t/108_decode.t
-SHA256 e6f7738431bc8d77ad0b8ad2db9ab54426f7bbc86eb5f5794b1a4616f454baef
t/109_encode.t
+SHA256 04e9e642b5cd82bc0504c1d91493ff09bbe04b9aa23c3019a6397caf1fc0a035
t/109_encode.t
SHA256 d6c467d647ab46c64734d6c6913ff262e854e00073a804da186caf894c5367d0
t/10_pc_keysort.t
-SHA256 f2c74f93ce4ab2aa6cc882d15cc670d34ad85efb859b8f57cfa0718b735e60d2
t/110_bignum.t
-SHA256 9c6d125de04ea14d24bbc96aafcbe8fbad75811ce4bf4e4d2d569eee8f195de0
t/112_upgrade.t
+SHA256 cff5fcdf23f8f9426609dac5eaa14b295489e2b3fe86bccc9355a39b2e390ec9
t/110_bignum.t
+SHA256 1a70755f6fd2b222ed65828d73d4bdfffed82f0d19c81b64ad3888f06ff399f6
t/112_upgrade.t
SHA256 b207546715e27fe738f448fb0e1087b73bfd2a002c0254f656e6b4d47e154f58
t/113_overloaded_eq.t
-SHA256 89a6817b7b7ad584200b65c4b17e0c3960637162308d7bfd6d74756754235cc5
t/114_decode_prefix.t
+SHA256 8c041a994fc0321eab07b96cfabeecdd0b22c9f057b8667af461c0d4d4c102fe
t/114_decode_prefix.t
SHA256 d8fc2223d440343e68c2c4bb0a62b191c468f9c42b4ef0a361219baf9449b36a
t/115_tie_ixhash.t
-SHA256 5a7c6c338b74f6f272510723f0605d09c16deba3922e2b29cb4b057d5d6b2bc4
t/116_incr_parse_fixed.t
-SHA256 cd69ce6908281737a22df45ce40e0cca3080312faa666ef68701c33fefc145c9
t/117_numbers.t
-SHA256 34a7fd54a9c17af5bc643bf237d334b9f664c4af9fc699e8af2d6347696ef13e
t/118_type.t
-SHA256 5f4f0f1d4221f5b5c28c1988f4d127462a42f36ae82fedd7319c8e0fbfbd57eb
t/119_type_decode.t
+SHA256 93fd32735bec654c526f9d7ae3678b0994da3b386306853fe21f34b1598d9f14
t/116_incr_parse_fixed.t
+SHA256 db54ca228feb7dae1cc9e2f7ad4e1008d7d8f7a052fc0c436086e58f8e3c8954
t/117_numbers.t
+SHA256 de74476296a8ce0257cfab6da68a8f3d4cfb54c5a2d4b1b51365b0d81ebe091f
t/118_type.t
+SHA256 9b0f6cce174b4c9ace55baf6ab6a53fe4b5f9c7f4b3f656e0385d992a3374208
t/119_type_decode.t
SHA256 8f0f898f0499424740eea5e2537e97faee949b1e3981a1588b1a61645d942d3c
t/11_pc_expo.t
-SHA256 5b27401bd1e20eeabdff15e9453d67806bba74ccd6a9f4d1d934a25e8126e0f3
t/120_type_all_string.t
+SHA256 9cef49b9e6cd44488a7dc3764b44050ba181fde28232084728f5177cecb18f53
t/120_type_all_string.t
SHA256 af3adbcc14e32df9fc2ef3f9a1502c1335a9e2da36ac54119be1f98fcabb4264
t/121_memleak.t
+SHA256 0428c42253adc3c97629cdd40425b63d609831b9003f62b0e1e5937d5d362096
t/122_type_encode.t
SHA256 782bc33e7b6e46d42a168713b0828db134c7885f67fdd35ac53619ba6476aef6
t/125_shared_boolean.t
-SHA256 a1249dee56939f6577f385b1b5942f57009f1b5bd1d785616bc62802146f41ec
t/12_blessed.t
+SHA256 38e4b3a53ab2e489dbfea7acb1dfec08c1b5526d2537bf378846f9e98388ce4f
t/12_blessed.t
SHA256 43a8dfc79182d0ea1462e9266bad1197bc172a9698c0fd002a8e9b0324112ca7
t/13_limit.t
-SHA256 99275341c61a98875e26651c858941a299bf6a6fb99a2d60e04d22395b69e3fb
t/14_latin1.t
-SHA256 7fb98299aabdc98c4e83404d8fb663d357f815d8dc524406c79b1fd1827531e4
t/15_prefix.t
+SHA256 5500fcc9758d70d2c072957a5ac8829a879f648039e5d2f8502c2dc284989c54
t/14_latin1.t
+SHA256 158b26605aebe84ab173858394924a04c20c2f8d69174d70c4f82ae52e403c5a
t/15_prefix.t
SHA256 4f73fcceb31cfb06ac5110ec89107cc14302905061d28b0700d4673f654d5592
t/16_tied.t
SHA256 398e5ff51603a52de901f4c1934265601e226d05b88ac604dcd9e9d179a0344f
t/17_relaxed.t
-SHA256 1585a6aecec5c73b7a6f70982b3bcc1edc1d63ca55467223ab0d6f0956254bc4
t/18_json_checker.t
-SHA256 d89efdc36f0e1b2be955c91f320ef73cebb9aa9bc63b0b309e31ed58590cf0ae
t/19_incr.t
-SHA256 dde73ed3cfc0e28d064f61fc08871accf88b780aee06a3cb0040f59f04c1ff36
t/20_faihu.t
+SHA256 743cb701d822ce3f3700f63665b3abb02933d6427dec056dc241826a12fe9304
t/18_json_checker.t
+SHA256 7b7262faaeff86f1b5a409bffda2804e601f2a8ab5ff56ac84e370408937e356
t/19_incr.t
+SHA256 41d4f29a28cb48f91b67b35adbd363e83dfdea0535701fdf0a19e79aa1334e4a
t/20_faihu.t
SHA256 56e11977ce3d544f8c8e62a38cbcc4f58f7f1d53b71918f803536acd62122713
t/20_unknown.t
SHA256 388f8e0f0e41c9921aedc67313f8b89bdd08b95ced0dba242986d3b76d9a1688
t/21_evans.t
SHA256 3da823eab55abb6dca05e8bc6111d3b59ea18c4ee270baf6413d9a45042ff48c
t/22_comment_at_eof.t
SHA256 2a6506fb07b27b1fef52b251d3876d23bd572596ff487d37c2f6597be554836c
t/23_array_ctx.t
SHA256 a8dfccba0b60b0fc91812fcfd96656e993abb74970509926d738c67a58641f01
t/24_freeze_recursion.t
-SHA256 d6e46428bf221ea9bca6f8c0a9d14ee76305d91e01d9946b570aac125d392ba8
t/25_boolean.t
+SHA256 837c64db6b940db32545072b17fc9a97dff6b8feaa832db1cb316b537e18595c
t/25_boolean.t
SHA256 9f6e48c5519a1fcf8be484e8c231138b66054027ac9bdca7c97672864a13db35
t/26_duplicate.t
-SHA256 814438975ce229d4ff0deb6a9aef967b7f088e03894b8b8e6ca1ccfb6d953117
t/30_jsonspec.t
-SHA256 bf3103d7dcb5e6fe0603d9ab640c51652eb1c41393a9b5fc06db80b6ae7a5c95
t/31_bom.t
-SHA256 59c743137453c8c4e9e785a15dcd057b0209d5ce160d683d7ab416dc37a92b6d
t/52_object.t
+SHA256 6ce5e7e4851a2ce50ed38799428cdf89e4580a8cd2287770e46521163e493188
t/30_jsonspec.t
+SHA256 6bc069d1999c995c1b1216f5b69572c0d83057ba46dfea752010306892b9df39
t/31_bom.t
+SHA256 f033138e5d385ef641160d251333a8dbd34292a52eca088da6b18f377c9c2917
t/52_object.t
SHA256 3b9ce402e2d0cae8a525df4beca05f2656ba5cf02b074d02fd690fe97773d2d7
t/53_readonly.t
-SHA256 a08be137b59c9cd58410bc41969e1e9e9fa2159469523394b6bfd0c798c00908
t/54_stringify.t
+SHA256 d605b2b61ebc82842ea9f1adfd3f6d8f37079c7b2519a770b928aa5fdc9bcac0
t/54_stringify.t
SHA256 f542b8cfd2bee5ab9ae92dd042e3bbf68a968ae959d0eeada43cd5cd53c8337a
t/55_modifiable.t
SHA256 7e825a17dc348ddee2b61e686a670115c31d80f372a7614e27811b9f3d795c79
t/96_interop.t
SHA256 f720857c5fb03c62aab4765610ab05326e5139505f823400605abaebedffeb32
t/96_interop_pp.t
@@ -446,15 +447,15 @@
SHA256 aca6f846869ab2e4881e807739086e1535b1438bd0e23d7a021360742736a6a9
xt/pod.t
-----BEGIN PGP SIGNATURE-----
-iQGzBAEBAwAdFiEEOKQWew22nknF9yFsuMKIZqsnp6IFAmoXMUkACgkQuMKIZqsn
-p6IH/AwAlP87Q9QalXZtyOrJ6NegS/x+OwWp6/GprVe4mp9Mqosy9WEfcjf2zt6v
-0qEHQSYW3UOxTg0pjcM4Aw/wJWWDZzZRn9EsSnX2Gc2OJOJdQyfobYQgMOFxdni+
-T9xuHGpjtwsqk2oOzRVptrXa1bxTfWn0AJgHc3VAj+m3J3wk7mA3amd7a+5J+bL/
-dR2tq6iAEgPzjplwzytHkfPyXH3YdePXSM7xbzT5agzxgxZKiol6mwwLPwZe24x+
-xf67L9ksOY8dZzKMb/cQW/1CjoqJzwobxMNfBk5+PG8FBa9npPSvModkdI3Ty4Rh
-DL7GB7AIyhyDp0aSFrfpEdhsoySJK6m1rfRdk5qpYZaSdC8XY5MtD2a/eP747Jw0
-yy5rx7h1UqOuZipxd+7BW4izyas9FW37o/AEQHAv8AWN0MYTdq38e2W7qLjRb+Bb
-/ShHY3PdwkWOsEsfm1hj08LTEMLY/6LksSEqSZuTGivPsI4PT3s/jQQ+BldhIXRv
-yn0x3SIH
-=PtUe
+iQGzBAEBAwAdFiEEOKQWew22nknF9yFsuMKIZqsnp6IFAmolOC0ACgkQuMKIZqsn
+p6LSyQv9H+GPhI81DIDX0C6GieBRaI5mKvnNoU7Q2F3w1aPEQ7M7E/nOwX7baRE0
+wD5A4Vydz9+I2GkbL1SscYxe1VPxSIRelM5tvPg+Fo4E/8Ibapg8kE+CywmhHg3L
+rWPqz2FKZ71fBveqw68EXHJg5Rzie49skPuGeFtJn14ewEhT9+sUVPzJLqdS3t1x
+vou+morsrkP63A0BJIwW/nU/nxmDaDWenybiSxL7IEnD9rxaINa4NY0+WlnCZUME
+o/RUwlLsSLOWv7Gk9bT8eATaoDhIsEXVPzAhnbdWvBx7mtCJnGcsWkaoeyYT/sFm
+MIZPZwkMaMjUupAcaPxvW0cpasd2P+5sRSKRELH2lyAFQiYvOe3vuUBeJInKgeVe
+Dk3ly9qgRmjwA4EfoYTLCa62y+KQGacPEqEv4XiqqSDhD6Sm9GIEcSuxaabBV+Zr
+43AVVdtI3FTm0L/degYenEfBbglUg8EGEjLx05EoRL8sWkv0jgXL2qkj8xJyCH0v
+iOk3irH+
+=mtDd
-----END PGP SIGNATURE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/XS.pm
new/Cpanel-JSON-XS-4.42/XS.pm
--- old/Cpanel-JSON-XS-4.41/XS.pm 2026-05-27 20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/XS.pm 2026-06-06 17:01:47.000000000 +0200
@@ -1,5 +1,5 @@
package Cpanel::JSON::XS;
-our $VERSION = '4.41';
+our $VERSION = '4.42';
our $XS_VERSION = $VERSION;
# $VERSION = eval $VERSION;
@@ -278,12 +278,12 @@
3.0116 and JSON::XS did not set allow_nonref but allowed them due to a
bug in the decoder.
-If the new 2nd optional $allow_nonref argument is set and not false, the
-C<allow_nonref> option will be set and the function will act is described
-as in the relaxed RFC 7159 allowing all values such as objects,
-arrays, strings, numbers, "null", "true", and "false".
-See L</"OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)> below, why you don't
-want to do that.
+Since version 4.42, C<allow_nonref> is enabled by default, matching
+JSON::XS 4.0+. The 2nd optional C<$allow_nonref> argument can be set
+to false (C<0>) to disable it. When enabled, the function accepts all
+JSON values: objects, arrays, strings, numbers, C<null>, C<true>, and
+C<false>. See L</"OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)> for
+why you might not want this.
For the 3rd optional type argument see L<Cpanel::JSON::XS::Type>.
@@ -823,16 +823,17 @@
JSON value, which is an extension to RFC4627. Likewise, C<decode> will
accept those JSON values instead of croaking.
-If C<$enable> is false, then the C<encode> method will croak if it isn't
-passed an arrayref or hashref, as JSON texts must either be an object
-or array. Likewise, C<decode> will croak if given something that is not a
-JSON object or array.
-
-Example, encode a Perl scalar as JSON value with enabled C<allow_nonref>,
-resulting in an invalid JSON text:
-
- Cpanel::JSON::XS->new->allow_nonref->encode ("Hello, World!")
- => "Hello, World!"
+B<This option is now enabled by default> (since version 4.42), matching
+the behavior of JSON::XS 4.0+ and the broken RFC 7159. JSON texts
+consisting of a bare scalar (string, number, C<true>, C<false>, C<null>)
+are accepted by C<encode> and C<decode> without explicitly requesting it.
+If you need strict RFC 4627 compliance, you must explicitly disable it:
+
+ Cpanel::JSON::XS->new->allow_nonref(0);
+
+When disabled, C<encode> will croak if it isn't passed an arrayref or
+hashref, as JSON texts must either be an object or array. Likewise,
+C<decode> will croak if given something that is not a JSON object or array.
=item $json = $json->allow_unknown ([$enable])
@@ -894,6 +895,11 @@
Perl version and other modules, but do not want to write complicated type
definitions for L<Cpanel::JSON::XS::Type>.
+When combined with L</allow_blessed> and/or L</convert_blessed>, blessed
+objects are handled by those options first, B<not> stringified by
+C<type_all_string>. For example, with C<allow_blessed + type_all_string>,
+blessed objects are encoded as the JSON value C<null> (not C<"null">).
+
=item $json = $json->allow_dupkeys ([$enable])
=item $enabled = $json->get_allow_dupkeys
@@ -2285,43 +2291,52 @@
=head1 "OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)
-TL;DR: Due to security concerns, Cpanel::JSON::XS will not allow
-scalar data in JSON texts by default - you need to create your own
-Cpanel::JSON::XS object and enable C<allow_nonref>:
-
-
- my $json = JSON::XS->new->allow_nonref;
-
- $text = $json->encode ($data);
- $data = $json->decode ($text);
+B<Note: Since version 4.42, Cpanel::JSON::XS defaults to the broken RFC
+7159 behavior> (like JSON::XS 4.0+), accepting scalar top-level JSON values
+without requiring C<allow_nonref>. This was done for compatibility with the
+larger Perl JSON ecosystem, despite the security concerns outlined below.
+
+If you rely on the old strict behavior, explicitly disable it:
+
+ my $json = Cpanel::JSON::XS->new->allow_nonref(0);
+
+The rationale for the original (pre-4.42) default, and the reason you might
+want to keep it off, follows:
+
+TL;DR: The original JSON RFC 4627 required JSON texts to be arrays or
+objects. The IETF later standardized a broken revision (RFC 7159) that
+allows bare scalars at top-level, opening a class of protocol confusion
+attacks.
The long version: JSON being an important and supposedly stable format,
the IETF standardized it as RFC 4627 in 2006. Unfortunately the inventor
of JSON Douglas Crockford unilaterally changed the definition of JSON in
javascript. Rather than create a fork, the IETF decided to standardize the
-new syntax (apparently, so I as told, without finding it very amusing).
+new syntax (apparently, so I was told, without finding it very amusing).
The biggest difference between the original JSON and the new JSON is that
the new JSON supports scalars (anything other than arrays and objects) at
the top-level of a JSON text. While this is strictly backwards compatible
+the top-level of a JSON text. While this is supposedly backwards compatible
to older versions, it breaks a number of protocols that relied on sending
-JSON back-to-back, and is a minor security concern.
+JSON back-to-back, and is a security concern.
For example, imagine you have two banks communicating, and on one side,
the JSON coder gets upgraded. Two messages, such as C<10> and C<1000>
-might then be confused to mean C<101000>, something that couldn't happen
+might then be confused to mean C<101000>, something that could not happen
in the original JSON, because neither of these messages would be valid
JSON.
If one side accepts these messages, then an upgrade in the coder on either
side could result in this becoming exploitable.
-This module has always allowed these messages as an optional extension, by
-default disabled. The security concerns are the reason why the default is
-still disabled, but future versions might/will likely upgrade to the newer
-RFC as default format, so you are advised to check your implementation
-and/or override the default with C<< ->allow_nonref (0) >> to ensure that
-future versions are safe.
+The IETF's own I-JSON profile (RFC 7493, also edited by Tim Bray who
+authored RFC 7159) acknowledges this mistake: Section 4.1 states that
+"there are software implementations, coded to the older specification
+[RFC4627], which only accept JSON objects or JSON arrays at the top
+level of JSON texts. For maximum interoperability with such
+implementations, protocol designers SHOULD NOT use top-level JSON
+texts that are neither objects nor arrays."
=head1 THREADS
@@ -2379,15 +2394,19 @@
&overload::unimport( 'overload', '""', 'eq', 'ne' );
&overload::import( 'overload',
'""' => sub { ${$_[0]} == 1 ? '1' : '0' }, # GH 29
+ # NOTE: unlike JSON::PP::Boolean which relies on fallback and has no
+ # explicit eq/ne overload, we provide semantic boolean matching:
+ # false eq "false", false eq "", false eq !!0, true eq "true".
+ # JSON::PP would return FALSE for all of these (plain string eq).
'eq' => sub {
my ($obj, $op) = $_[2] ? ($_[1], $_[0]) : ($_[0], $_[1]);
- #warn "eq obj:$obj op:$op len:", length($op) > 0, " swap:$_[2]";
if (ref $op) { # if 2nd also blessed might recurse endlessly
return $obj ? 1 == $op : 0 == $op;
}
# if string, only accept numbers or true|false or "" (e.g. !!0 / SV_NO)
elsif ($op !~ /^[0-9]+$/) {
- return "$obj" eq '1' ? 'true' eq $op : 'false' eq $op || "" eq $op;
+ return "$obj" eq '1' ? 'true' eq $op
+ : 'false' eq $op || (defined($op) && "" eq $op); # GH #207
}
else {
return $obj ? 1 == $op : 0 == $op;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/XS.xs
new/Cpanel-JSON-XS-4.42/XS.xs
--- old/Cpanel-JSON-XS-4.41/XS.xs 2026-05-27 20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/XS.xs 2026-06-06 17:01:47.000000000 +0200
@@ -457,6 +457,7 @@
json_init (JSON *json)
{
Zero (json, 1, JSON);
+ json->flags = F_ALLOW_NONREF; /* GH #241: default like JSON::XS 4.0
*/
json->max_depth = 512;
json->indent_length = INDENT_STEP;
json->magic = JSON_MAGIC;
@@ -886,6 +887,7 @@
char *end; /* SvEND (sv) */
SV *sv; /* result scalar */
JSON json;
+ JSON *orig_json; /* pointer to original JSON object (for recursion guard) */
U32 indent; /* indentation level */
UV limit; /* escape character values >= this value when encoding */
} enc_t;
@@ -1635,7 +1637,15 @@
}
#endif
#if PERL_VERSION > 13
- pv = AMG_CALLunary(rv, string_amg);
+ {
+ /* GH #128: protect from endless recursion via "" overload.
+ Temporarily clear convert_blessed and allow_stringify on the
+ original JSON object so re-entrant encode calls won't loop. */
+ U32 flags = enc->orig_json->flags;
+ enc->orig_json->flags &= ~(F_ALLOW_STRINGIFY|F_CONV_BLESSED);
+ pv = AMG_CALLunary(rv, string_amg);
+ enc->orig_json->flags = flags;
+ }
#else
pv = AMG_CALLun(rv, string);
#endif
@@ -1847,8 +1857,14 @@
else if (enc->json.flags & F_ALLOW_BLESSED)
encode_const_str (aTHX_ enc, "null", 4, 0);
else
- croak ("encountered object '%s', but neither allow_blessed,
convert_blessed nor allow_tags settings are enabled (or TO_JSON/FREEZE method
missing)",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH #191).
*/
+ const char *name = HvNAME(SvSTASH(sv));
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(sv, 0), sv));
+ croak ("encountered object '%s', but neither allow_blessed,
convert_blessed nor allow_tags settings are enabled (or TO_JSON/FREEZE method
missing)",
+ SvPV_nolen (desc));
+ }
}
}
else if (svt < SVt_PVAV && svt != SVt_PVGV && svt != SVt_PVHV && svt !=
SVt_PVAV)
@@ -1860,15 +1876,26 @@
else if (enc->json.flags & F_ALLOW_UNKNOWN)
encode_const_str (aTHX_ enc, "null", 4, 0);
else
- croak ("cannot encode reference to scalar '%s' unless the scalar
is 0 or 1",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH
#191). */
+ const char *name = SvOBJECT(sv) ? HvNAME(SvSTASH(sv)) : NULL;
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(sv, 0), sv));
+ croak ("cannot encode reference to scalar '%s' unless the scalar
is 0 or 1",
+ SvPV_nolen (desc));
+ }
}
}
else if (enc->json.flags & F_ALLOW_UNKNOWN)
encode_const_str (aTHX_ enc, "null", 4, 0);
else
- croak ("encountered %s, but JSON can only represent references to arrays
or hashes",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH #191). */
+ SV *desc = sv_2mortal(newSVpvf("%s(0x%p)",
+ sv_reftype(sv, 0), sv));
+ croak ("encountered %s, but JSON can only represent references to arrays
or hashes",
+ SvPV_nolen (desc));
+ }
}
static void
@@ -1909,18 +1936,36 @@
if (UNLIKELY (SvOBJECT (sv)))
{
if (!encode_bool_obj (aTHX_ enc, sv, 1, 0))
- croak ("encountered object '%s', but convert_blessed is not
enabled",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH
#191). */
+ const char *name = HvNAME(SvSTASH(sv));
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(sv, 0), sv));
+ croak ("encountered object '%s', but convert_blessed is not
enabled",
+ SvPV_nolen (desc));
+ }
}
else if (svt < SVt_PVAV && svt != SVt_PVGV)
{
if (!encode_bool_ref (aTHX_ enc, sv))
- croak ("cannot encode reference to scalar '%s' unless the scalar
is 0 or 1",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH
#191). */
+ const char *name = HvNAME(SvSTASH(sv));
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(sv, 0), sv));
+ croak ("cannot encode reference to scalar '%s' unless the scalar
is 0 or 1",
+ SvPV_nolen (desc));
+ }
}
else
- croak ("encountered %s, but does not represent boolean",
- SvPV_nolen (sv_2mortal (newRV_inc (sv))));
+ {
+ /* Use default stringification, bypassing any "" overload (GH #191).
*/
+ const char *name = SvOBJECT(sv) ? HvNAME(SvSTASH(sv)) : NULL;
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(sv, 0), sv));
+ croak ("encountered %s, but does not represent boolean",
+ SvPV_nolen (desc));
+ }
}
}
@@ -1968,12 +2013,26 @@
}
if (UNLIKELY (!(SvOK (typesv)) && (enc->json.flags & F_TYPE_ALL_STRING)))
- typesv = sv_2mortal (newSViv (JSON_TYPE_STRING | JSON_TYPE_CAN_BE_NULL));
+ {
+ /* Don't force STRING on blessed objects that would be handled by
+ allow_blessed/convert_blessed/allow_tags (GH #175). */
+ if (!(SvROK (sv) && SvOBJECT (SvRV (sv))
+ && (enc->json.flags &
(F_ALLOW_BLESSED|F_CONV_BLESSED|F_ALLOW_TAGS))
+ && !is_bool_obj (aTHX_ SvRV (sv))
+ && !is_bignum_obj (aTHX_ SvRV (sv))))
+ typesv = sv_2mortal (newSViv (JSON_TYPE_STRING |
JSON_TYPE_CAN_BE_NULL));
+ }
if (UNLIKELY (SvOK (typesv)))
{
if (SvROK (sv) && SvOBJECT (SvRV (sv)) && !(enc->json.flags &
(F_ALLOW_TAGS|F_CONV_BLESSED|F_ALLOW_BLESSED)) && !is_bool_obj (aTHX_ SvRV
(sv)) && !is_bignum_obj (aTHX_ SvRV (sv)))
- croak ("encountered object '%s', but neither allow_blessed,
convert_blessed nor allow_tags settings are enabled (or TO_JSON/FREEZE method
missing)", SvPV_nolen (sv));
+ {
+ /* Use default stringification, bypassing any "" overload (GH #191).
*/
+ const char *name = HvNAME(SvSTASH(SvRV(sv)));
+ SV *desc = sv_2mortal(newSVpvf("%s=%s(0x%p)",
+ name ? name : "(unknown)", sv_reftype(SvRV(sv), 0), SvRV(sv)));
+ croak ("encountered object '%s', but neither allow_blessed,
convert_blessed nor allow_tags settings are enabled (or TO_JSON/FREEZE method
missing)", SvPV_nolen (desc));
+ }
if (!SvIOKp (typesv))
{
@@ -2024,7 +2083,7 @@
UNLIKELY (sv == &PL_sv_yes || sv == &PL_sv_no)
#endif
) type = JSON_TYPE_BOOL;
- else if (SvNOKp (sv)) type = JSON_TYPE_FLOAT;
+ else if (SvNOK (sv)) type = JSON_TYPE_FLOAT;
else if (SvIOKp (sv)) type = JSON_TYPE_INT;
else if (SvPOKp (sv)) type = JSON_TYPE_STRING;
else if (SvROK (sv)) process_ref = 1;
@@ -2390,6 +2449,8 @@
else {
NV intpart;
if (!( inf_or_nan || (had_nokp && Perl_modf(SvNVX(sv), &intpart))
+ || (!force_conversion && had_nokp
+ && (SvNVX(sv) > (NV)UV_MAX || SvNVX(sv) < (NV)IV_MIN))
|| (!force_conversion && SvIOK(sv))
|| strchr(enc->cur,'e')
|| strchr(enc->cur,'E')
@@ -2738,6 +2799,7 @@
croak ("hash- or arrayref expected (not a simple scalar, use allow_nonref
to allow this)");
enc.json = *json;
+ enc.orig_json = json;
enc.sv = sv_2mortal (NEWSV (0, INIT_SIZE));
enc.cur = SvPVX (enc.sv);
enc.end = SvEND (enc.sv);
@@ -4884,14 +4946,23 @@
return;
void new (char *klass)
+ PREINIT:
+ HV *stash;
PPCODE:
dMY_CXT;
- SV *pv = NEWSV (0, sizeof (JSON));
+ SV *pv = NEWSV (0, sizeof (JSON));
SvPOK_only (pv);
json_init ((JSON *)SvPVX (pv));
+ if (SvROK (ST(0))) {
+ /* called as $obj->new — extract real class name from the object */
+ stash = SvSTASH (SvRV (ST(0)));
+ if (!stash)
+ croak ("Cannot create a %s object from an unblessed reference",
klass);
+ } else {
+ stash = strEQc (klass, "Cpanel::JSON::XS") ? JSON_STASH : gv_stashpv
(klass, 1);
+ }
XPUSHs (sv_2mortal (sv_bless (
- newRV_noinc (pv),
- strEQc (klass, "Cpanel::JSON::XS") ? JSON_STASH : gv_stashpv
(klass, 1)
+ newRV_noinc (pv), stash
)));
void ascii (JSON *self, int enable = 1)
@@ -5267,8 +5338,11 @@
JSON json;
json_init (&json);
json.flags |= ix;
- if (ix && SvTRUE (allow_nonref))
- json.flags |= F_ALLOW_NONREF;
+ if (items > 1) {
+ /* allow_nonref arg explicitly given: override the default */
+ if (!SvTRUE (allow_nonref))
+ json.flags &= ~F_ALLOW_NONREF;
+ }
PUTBACK; jsonstr = decode_json (aTHX_ jsonstr, &json, 0, typesv);
SPAGAIN;
XPUSHs (jsonstr);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/bin/cpanel_json_xs
new/Cpanel-JSON-XS-4.42/bin/cpanel_json_xs
--- old/Cpanel-JSON-XS-4.41/bin/cpanel_json_xs 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/bin/cpanel_json_xs 2026-06-06 15:29:25.000000000
+0200
@@ -126,7 +126,7 @@
Evaluate perl code after reading the data and before writing it out again
- can be used to filter, create or extract data. The data that has been
-written is in C<$_>, and whatever is in there is written out afterwards.
+read is in C<$_>, and whatever is in there is written out afterwards.
=back
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/00_load.t
new/Cpanel-JSON-XS-4.42/t/00_load.t
--- old/Cpanel-JSON-XS-4.41/t/00_load.t 2022-05-03 13:12:26.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/t/00_load.t 2026-06-06 17:01:47.000000000 +0200
@@ -1,5 +1,32 @@
-BEGIN { $| = 1; print "1..1\n"; }
+BEGIN { $| = 1; print "1..5\n"; }
END {print "not ok 1\n" unless $loaded;}
use Cpanel::JSON::XS;
$loaded = 1;
print "ok 1\n";
+
+# GH #93: $obj->new must work (not create a broken object)
+my $obj = eval { Cpanel::JSON::XS->new->utf8 };
+my $obj2 = eval { $obj->new };
+print $@ ? "not ok 2 - GH #93 \$obj->new crashed: $@" : "ok 2 - GH #93
\$obj->new\n";
+my $class = ref($obj2);
+print $class && $class eq 'Cpanel::JSON::XS'
+ ? "ok 3 - GH #93 result is Cpanel::JSON::XS\n"
+ : "not ok 3 - GH #93 result is ", ($class || "undef"), "\n";
+
+# GH #93: subclass $obj->new preserves class (needs Perl 5.10+ for parent.pm)
+if ($] >= 5.010) {
+ package MyJSON93;
+ use parent -norequire, 'Cpanel::JSON::XS';
+ package main;
+ my $sub = MyJSON93->new;
+ my $sub2 = $sub->new;
+ print eval { $sub2->isa('MyJSON93') }
+ ? "ok 4 - GH #93 subclass ->new preserves class\n"
+ : "not ok 4 - GH #93\n";
+ print eval { $sub2->isa('Cpanel::JSON::XS') }
+ ? "ok 5 - GH #93 subclass ->new still ISA Cpanel::JSON::XS\n"
+ : "not ok 5 - GH #93\n";
+} else {
+ print "ok 4 # skip parent.pm not available\n";
+ print "ok 5 # skip parent.pm not available\n";
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/01_utf8.t
new/Cpanel-JSON-XS-4.42/t/01_utf8.t
--- old/Cpanel-JSON-XS-4.41/t/01_utf8.t 2024-12-12 21:50:31.000000000 +0100
+++ new/Cpanel-JSON-XS-4.42/t/01_utf8.t 2026-06-06 17:01:47.000000000 +0200
@@ -3,27 +3,27 @@
use Cpanel::JSON::XS;
use warnings;
-is(Cpanel::JSON::XS->new->allow_nonref->utf8->encode("ü"), "\"\xc3\xbc\"");
-is(Cpanel::JSON::XS->new->allow_nonref->encode("ü"), "\"ü\"");
+is(Cpanel::JSON::XS->new->utf8->encode("ü"), "\"\xc3\xbc\"");
+is(Cpanel::JSON::XS->new->encode("ü"), "\"ü\"");
-is(Cpanel::JSON::XS->new->allow_nonref->ascii->utf8->encode(chr 0x8000),
'"\u8000"');
-is(Cpanel::JSON::XS->new->allow_nonref->ascii->utf8->pretty->encode(chr
0x10402), "\"\\ud801\\udc02\"\n");
+is(Cpanel::JSON::XS->new->ascii->utf8->encode(chr 0x8000), '"\u8000"');
+is(Cpanel::JSON::XS->new->ascii->utf8->pretty->encode(chr 0x10402),
"\"\\ud801\\udc02\"\n");
-ok not defined eval { Cpanel::JSON::XS->new->allow_nonref->utf8->decode('"ü"')
};
+ok not defined eval { Cpanel::JSON::XS->new->utf8->decode('"ü"') };
like $@, qr/malformed UTF-8/;
-is(Cpanel::JSON::XS->new->allow_nonref->decode('"ü"'), "ü");
-is(Cpanel::JSON::XS->new->allow_nonref->decode('"\u00fc"'), "ü");
+is(Cpanel::JSON::XS->new->decode('"ü"'), "ü");
+is(Cpanel::JSON::XS->new->decode('"\u00fc"'), "ü");
ok not defined eval { decode_json ('"\ud801\udc02' . "\x{10204}\"", 1) };
like $@, qr/Wide character/;
SKIP: {
skip "5.6", 1 if $] < 5.008;
- is(Cpanel::JSON::XS->new->allow_nonref->decode('"\ud801\udc02' .
"\x{10204}\""), "\x{10402}\x{10204}");
+ is(Cpanel::JSON::XS->new->decode('"\ud801\udc02' . "\x{10204}\""),
"\x{10402}\x{10204}");
}
-is(Cpanel::JSON::XS->new->allow_nonref->decode('"\"\n\\\\\r\t\f\b"'),
"\"\012\\\015\011\014\010");
+is(Cpanel::JSON::XS->new->decode('"\"\n\\\\\r\t\f\b"'),
"\"\012\\\015\011\014\010");
my $utf8_love = "I \342\235\244 perl";
is(Cpanel::JSON::XS->new->ascii->encode([$utf8_love]), '["I \u00e2\u009d\u00a4
perl"]', 'utf8 enc ascii');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/02_error.t
new/Cpanel-JSON-XS-4.42/t/02_error.t
--- old/Cpanel-JSON-XS-4.41/t/02_error.t 2025-09-08 13:53:39.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/02_error.t 2026-06-06 17:01:47.000000000
+0200
@@ -1,4 +1,4 @@
-use Test::More tests => 41;
+use Test::More tests => 44;
use utf8;
use Cpanel::JSON::XS;
@@ -20,7 +20,7 @@
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('"\ud800"') }; ok $@ =~
/missing low /;
eval { Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"\ud800\u1234"') };
ok $@ =~ /surrogate pair /;
-eval { Cpanel::JSON::XS->new->decode ('null') }; ok $@ =~ /allow_nonref/;
+eval { Cpanel::JSON::XS->new->allow_nonref(0)->decode ('null') }; ok $@ =~
/allow_nonref/;
eval { Cpanel::JSON::XS->new->allow_nonref (1)->decode ('+0') }; ok $@ =~
/malformed/;
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('.2') }; ok $@ =~
/malformed/;
eval { Cpanel::JSON::XS->new->allow_nonref (1)->decode ('bare') }; ok $@ =~
/malformed/;
@@ -32,8 +32,8 @@
eval { Cpanel::JSON::XS->new->allow_nonref (1)->decode ('-e+1') }; ok $@ =~
/initial minus/;
eval { Cpanel::JSON::XS->new->allow_nonref->decode ("\"\n\"") }; ok $@ =~
/invalid character/;
eval { Cpanel::JSON::XS->new->allow_nonref (1)->decode ("\"\x01\"") }; ok $@
=~ /invalid character/;
-eval { decode_json ("[\"\xa0]") }; ok $@ =~ /malformed.*character/;
-eval { decode_json ("[\"\xa0\"]") }; ok $@ =~ /malformed.*character/;
+eval { decode_json ("[\"\xa0]", 0) }; ok $@ =~ /malformed.*character/;
+eval { decode_json ("[\"\xa0\"]", 0) }; ok $@ =~ /malformed.*character/;
}
eval { Cpanel::JSON::XS->new->decode ('[5') }; ok $@ =~ /parsing array/;
@@ -47,10 +47,10 @@
eval { Cpanel::JSON::XS->new->decode (*STDERR) }; ok !!$@; # cannot coerce GLOB
# RFC 7159: missing optional 2nd allow_nonref arg
-eval { decode_json ("null") }; ok $@ =~ /JSON text must be an object or
array/, "null";
-eval { decode_json ("true") }; ok $@ =~ /JSON text must be an object or
array/, "true $@";
-eval { decode_json ("false") }; ok $@ =~ /JSON text must be an object or
array/, "false $@";
-eval { decode_json ("1") }; ok $@ =~ /JSON text must be an object or array/,
"wrong 1";
+eval { decode_json ("null", 0) }; ok $@ =~ /JSON text must be an object or
array/, "null";
+eval { decode_json ("true", 0) }; ok $@ =~ /JSON text must be an object or
array/, "true $@";
+eval { decode_json ("false", 0) }; ok $@ =~ /JSON text must be an object or
array/, "false $@";
+eval { decode_json ("1", 0) }; ok $@ =~ /JSON text must be an object or
array/, "wrong 1";
# more malformed numbers
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('001') }; ok $@ =~
/malformed number/;
@@ -58,3 +58,13 @@
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('1.0.') }; ok !!$@;
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('1.') }; ok $@ =~
/malformed number/;
eval { Cpanel::JSON::XS->new->allow_nonref->decode ('-') }; ok $@ =~
/malformed number/;
+
+# GH #241: allow_nonref now defaults to true (like JSON::XS 4.0),
+# but must still be possible to disable explicitly.
+eval { Cpanel::JSON::XS->new->allow_nonref(0)->encode ("string") };
+ok $@ =~ /hash- or arrayref expected/, 'allow_nonref(0) encode rejects scalar';
+eval { Cpanel::JSON::XS->new->allow_nonref(0)->decode ('"string"') };
+ok $@ =~ /allow_nonref/, 'allow_nonref(0) decode rejects scalar';
+# re-enabling must work
+my $v = Cpanel::JSON::XS->new->allow_nonref(0)->allow_nonref(1)->decode ('42');
+is $v, 42, 'allow_nonref(0)->allow_nonref(1) restores nonref decode';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/03_types.t
new/Cpanel-JSON-XS-4.42/t/03_types.t
--- old/Cpanel-JSON-XS-4.41/t/03_types.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/03_types.t 2026-06-06 17:01:47.000000000
+0200
@@ -7,10 +7,10 @@
print $_[0] ? "" : "not ", "ok ", ++$test;
print @_ > 1 ? " # $_[1]\n" : "\n";
}
-ok (!defined Cpanel::JSON::XS->new->allow_nonref->decode ('null'));
-my $null = Cpanel::JSON::XS->new->allow_nonref->decode ('null');
-my $true = Cpanel::JSON::XS->new->allow_nonref->decode ('true');
-my $false = Cpanel::JSON::XS->new->allow_nonref->decode ('false');
+ok (!defined Cpanel::JSON::XS->new->decode ('null'));
+my $null = Cpanel::JSON::XS->new->decode ('null');
+my $true = Cpanel::JSON::XS->new->decode ('true');
+my $false = Cpanel::JSON::XS->new->decode ('false');
ok ($true == 1, sprintf("true: numified %d", 0+$true));
ok ($false == 0, sprintf("false: numified %d", 0+$false));
@@ -41,13 +41,13 @@
ok (!Cpanel::JSON::XS::is_bool $false);
ok (!Cpanel::JSON::XS::is_bool "JSON::PP::Boolean");
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('5') == 5);
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('-5') == -5);
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('5e1') == 50);
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('-333e+0') == -333);
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('2.5') == 2.5);
+ok (Cpanel::JSON::XS->new->decode ('5') == 5);
+ok (Cpanel::JSON::XS->new->decode ('-5') == -5);
+ok (Cpanel::JSON::XS->new->decode ('5e1') == 50);
+ok (Cpanel::JSON::XS->new->decode ('-333e+0') == -333);
+ok (Cpanel::JSON::XS->new->decode ('2.5') == 2.5);
-ok (Cpanel::JSON::XS->new->allow_nonref (1)->decode ('""') eq "");
+ok (Cpanel::JSON::XS->new->decode ('""') eq "");
ok ('[1,2,3,4]' eq encode_json decode_json ('[1,2, 3,4]'));
ok ('[{},[],[],{}]' eq encode_json decode_json ('[{},[], [ ] ,{ }]'));
ok ('[{"1":[5]}]' eq encode_json [{1 => [5]}]);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/04_dwiw_encode.t
new/Cpanel-JSON-XS-4.42/t/04_dwiw_encode.t
--- old/Cpanel-JSON-XS-4.41/t/04_dwiw_encode.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/04_dwiw_encode.t 2026-06-06 17:01:47.000000000
+0200
@@ -23,7 +23,7 @@
my $expected_str3 =
'{"var2":["first_element",{"sub_element2":"sub_val2","sub_element":"sub_val"}],"var1":"val1"}';
my $expected_str4 =
'{"var1":"val1","var2":["first_element",{"sub_element2":"sub_val2","sub_element":"sub_val"}]}';
- my $json_obj = Cpanel::JSON::XS->new->allow_nonref (1);
+ my $json_obj = Cpanel::JSON::XS->new;
my $json_str;
# print STDERR "\n" . $json_str . "\n\n";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/05_dwiw_decode.t
new/Cpanel-JSON-XS-4.42/t/05_dwiw_decode.t
--- old/Cpanel-JSON-XS-4.41/t/05_dwiw_decode.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/05_dwiw_decode.t 2026-06-06 17:01:47.000000000
+0200
@@ -17,7 +17,7 @@
my $json_str =
'{"var1":"val1","var2":["first_element",{"sub_element":"sub_val","sub_element2":"sub_val2"}],"var3":"val3"}';
- my $json_obj = Cpanel::JSON::XS->new->allow_nonref(1);
+ my $json_obj = Cpanel::JSON::XS->new;
my $data = $json_obj->decode($json_str);
my $pass = 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/105_esc_slash.t
new/Cpanel-JSON-XS-4.42/t/105_esc_slash.t
--- old/Cpanel-JSON-XS-4.41/t/105_esc_slash.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/105_esc_slash.t 2026-06-06 17:01:47.000000000
+0200
@@ -4,7 +4,7 @@
use Cpanel::JSON::XS;
#########################
-my $json = Cpanel::JSON::XS->new->allow_nonref;
+my $json = Cpanel::JSON::XS->new;
my $js = '/';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/109_encode.t
new/Cpanel-JSON-XS-4.42/t/109_encode.t
--- old/Cpanel-JSON-XS-4.41/t/109_encode.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/109_encode.t 2026-06-06 17:01:47.000000000
+0200
@@ -13,7 +13,7 @@
no utf8;
-my $json = Cpanel::JSON::XS->new->allow_nonref;
+my $json = Cpanel::JSON::XS->new;
is($json->encode("ü"), q|"ü"|); # as is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/110_bignum.t
new/Cpanel-JSON-XS-4.42/t/110_bignum.t
--- old/Cpanel-JSON-XS-4.41/t/110_bignum.t 2025-09-08 13:53:39.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/110_bignum.t 2026-06-06 15:29:25.000000000
+0200
@@ -1,12 +1,14 @@
#!/usr/bin/env perl
use strict;
-my $has_bignum;
+my ($has_bignum, @DOS_DIGITS);
BEGIN {
eval q| require Math::BigInt |;
$has_bignum = $@ ? 0 : 1;
+ @DOS_DIGITS = qw(1000 100_000 10_000_000 100_000_000 1_000_000_000); #
100_000_000_000
}
+
use Test::More $has_bignum
- ? (tests => 20)
+ ? (tests => 20 + scalar(@DOS_DIGITS))
: (skip_all => "Can't load Math::BigInt");
use Cpanel::JSON::XS;
use Scalar::Util ();
@@ -84,3 +86,21 @@
# But a short int will not decode to a BigInt
$num = $json->decode(q|[4]|)->[0];
ok( Scalar::Util::looks_like_number($num), 'simple IV') or Dump($num);
+
+# DOS GH #204 — resource-intensive; only run when PERL_TEST_DEVEL is set
+SKIP: {
+ skip "set PERL_TEST_DEVEL to run resource-intensive DOS attack tests",
scalar(@DOS_DIGITS)
+ unless $ENV{PERL_TEST_DEVEL};
+ for (@DOS_DIGITS) {
+ my $s = $_;
+ my $digits = $s;
+ $digits =~ s/_//g;
+ # perl throws "Out of memory!" when constructing a string with
100_000_000_000 digits
+ my $dos = '1' . '0' x $digits;
+ note "decode bigint DOS attack with $s digits";
+ # perl throws "Killed" with a bignum of about 1_000_000_000 digits
+ my $num = $json->decode($dos);
+ is($num->bcmp($dos), 0, "decoded $s digits")
+ or Dump ($num);
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/112_upgrade.t
new/Cpanel-JSON-XS-4.42/t/112_upgrade.t
--- old/Cpanel-JSON-XS-4.41/t/112_upgrade.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/112_upgrade.t 2026-06-06 17:01:47.000000000
+0200
@@ -7,7 +7,7 @@
use _unicode_handling;
}
-my $json = Cpanel::JSON::XS->new->allow_nonref->utf8;
+my $json = Cpanel::JSON::XS->new->utf8;
my $str = '\\u00c8';
my $value = $json->decode( '"\\u00c8"' );
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/114_decode_prefix.t
new/Cpanel-JSON-XS-4.42/t/114_decode_prefix.t
--- old/Cpanel-JSON-XS-4.41/t/114_decode_prefix.t 2022-05-03
13:12:46.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/t/114_decode_prefix.t 2026-06-06
17:01:47.000000000 +0200
@@ -5,7 +5,7 @@
use Cpanel::JSON::XS;
-my $json = Cpanel::JSON::XS->new;
+my $json = Cpanel::JSON::XS->new->allow_nonref(0);
my $complete_text = qq/{"foo":"bar"}/;
my $garbaged_text = qq/{"foo":"bar"}\n/;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/116_incr_parse_fixed.t
new/Cpanel-JSON-XS-4.42/t/116_incr_parse_fixed.t
--- old/Cpanel-JSON-XS-4.41/t/116_incr_parse_fixed.t 2022-05-03
13:12:46.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/t/116_incr_parse_fixed.t 2026-06-06
17:01:47.000000000 +0200
@@ -5,7 +5,7 @@
use Cpanel::JSON::XS;
-my $json = Cpanel::JSON::XS->new->allow_nonref();
+my $json = Cpanel::JSON::XS->new;
my @vs = $json->incr_parse('"a\"bc');
@@ -16,7 +16,7 @@
is( $vs[0], "a\"bc" );
-$json = Cpanel::JSON::XS->new;
+$json = Cpanel::JSON::XS->new->allow_nonref(0);
@vs = $json->incr_parse('"a\"bc');
ok( not scalar(@vs) );
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/117_numbers.t
new/Cpanel-JSON-XS-4.42/t/117_numbers.t
--- old/Cpanel-JSON-XS-4.41/t/117_numbers.t 2023-06-19 15:23:34.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/117_numbers.t 2026-06-06 15:29:25.000000000
+0200
@@ -3,7 +3,7 @@
use Test::More;
use Config;
plan skip_all => "Yet unhandled inf/nan with $^O" if $^O eq 'dec_osf';
-plan tests => 25;
+plan tests => 30;
# infnan_mode = 0:
is encode_json([9**9**9]), '[null]', "inf -> null stringify_infnan(0)";
@@ -133,3 +133,33 @@
is encode_json({"invalid" => 123.45}), qq|{"invalid":123.45}|,
"numeric radix";
}
+
+
+# GH #112: On 32-bit Perl, whole-number NVs exceeding UV_MAX (e.g. large
+# IDs) were encoded with trailing .0 because Perl stores them as float.
+# Fix: skip the .0 when the NV value exceeds native integer range,
+# since Perl was forced to use NV (not because user wrote a float literal).
+# Floats that fit in native range (like 1.0) still get .0.
+is encode_json([1.0]), '[1.0]', 'GH#112 float 1.0 stays 1.0';
+is encode_json([5439409363]), '[5439409363]', 'GH#112 large int (in IV) no .0';
+is encode_json([3.14]), '[3.14]', 'GH#112 fractional float unchanged';
+
+# GH #197: IOK + pNOK but not NOK — NV imprecise, IV accurate
+# When a large int is used in a float expression, perl upgrades the
+# scalar to PVNV and sets pNOK, but not NOK (NV lost precision).
+# We must encode the accurate integer, not the imprecise float.
+{
+ my $l = 412345678901234567;
+ my $g = $l + 1.2; # upgrades $l: sets pNOK, keeps IOK, does NOT set NOK
+ is encode_json([$l]), '[412345678901234567]',
+ 'GH#197 large int with stale NV: use IOK, not pNOK';
+}
+
+# GH #197: after int($float), both NOK and IOK are set.
+# The NV is the accurate full value (with fraction), prefer it.
+{
+ my $f = 1.5;
+ int($f); # sets IOK (IV=1), keeps NOK (NV=1.5)
+ is encode_json([$f]), '[1.5]',
+ 'GH#197 int($float) still encodes as float (NOK set)';
+}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/118_type.t
new/Cpanel-JSON-XS-4.42/t/118_type.t
--- old/Cpanel-JSON-XS-4.41/t/118_type.t 2022-05-06 07:40:07.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/118_type.t 2026-06-06 17:01:47.000000000
+0200
@@ -15,10 +15,10 @@
$have_weaken = 0 if $] < 5.008;
}
-use Test::More tests => 381;
+use Test::More tests => 385;
-my $cjson = Cpanel::JSON::XS->new->canonical->allow_nonref->require_types;
-my $bigcjson =
Cpanel::JSON::XS->new->canonical->allow_nonref->require_types->allow_bignum;
+my $cjson = Cpanel::JSON::XS->new->canonical->require_types;
+my $bigcjson = Cpanel::JSON::XS->new->canonical->require_types->allow_bignum;
foreach my $false (Cpanel::JSON::XS::false, undef, 0, 0.0, 0E0, !!0, !1, "0",
"", \0) {
is($cjson->encode($false, JSON_TYPE_BOOL), 'false');
@@ -618,3 +618,25 @@
ok(!defined eval { $cjson->encode(bless({}, 'Object'), JSON_TYPE_STRING) });
like($@, qr/encountered object.*but neither allow_blessed, convert_blessed nor
allow_tags settings are enabled/);
+
+# GH #191: error messages must use ClassName=TYPE(addr) format,
+# not the overloaded "" stringification of the object.
+{
+ package OverloadedError;
+ use overload q("") => sub { "CONFUSING_STRING" }, fallback => 1;
+ sub new { bless { x => 1 }, shift }
+}
+my $obj = OverloadedError->new;
+
+# non-type path (via encode_rv)
+my $plain = Cpanel::JSON::XS->new;
+ok(!defined eval { $plain->encode($obj) },
+ 'encode blessed object without flags -> error');
+like($@, qr/encountered object 'OverloadedError=HASH\(0x[0-9a-f]+\)'/,
+ 'error msg uses ClassName=TYPE(addr), not overloaded stringification');
+
+# type-path (via encode_sv)
+ok(!defined eval { $plain->encode($obj, JSON_TYPE_STRING) },
+ 'encode blessed object with type -> error');
+like($@, qr/encountered object 'OverloadedError=HASH\(0x[0-9a-f]+\)'/,
+ 'type-path error msg also uses ClassName=TYPE(addr)');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/119_type_decode.t
new/Cpanel-JSON-XS-4.42/t/119_type_decode.t
--- old/Cpanel-JSON-XS-4.41/t/119_type_decode.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/119_type_decode.t 2026-06-06 17:01:47.000000000
+0200
@@ -6,7 +6,7 @@
use Test::More tests => 24;
-my $cjson = Cpanel::JSON::XS->new->allow_nonref;
+my $cjson = Cpanel::JSON::XS->new;
{
my $value = $cjson->decode('false', my $type);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/120_type_all_string.t
new/Cpanel-JSON-XS-4.42/t/120_type_all_string.t
--- old/Cpanel-JSON-XS-4.41/t/120_type_all_string.t 2024-12-12
21:50:46.000000000 +0100
+++ new/Cpanel-JSON-XS-4.42/t/120_type_all_string.t 2026-06-06
17:01:47.000000000 +0200
@@ -3,9 +3,9 @@
use Cpanel::JSON::XS;
-use Test::More tests => 8;
+use Test::More tests => 12;
-my $sjson =
Cpanel::JSON::XS->new->canonical->require_types->type_all_string->allow_nonref;
+my $sjson = Cpanel::JSON::XS->new->canonical->require_types->type_all_string;
is($sjson->encode(0), '"0"');
is($sjson->encode("0"), '"0"');
@@ -15,3 +15,31 @@
is($sjson->encode([ Cpanel::JSON::XS::false, Cpanel::JSON::XS::true ]),
'["false","true"]');
is($sjson->encode([ 1 < 0, 1 > 0 ]), '["","1"]');
is($sjson->encode(undef), 'null');
+
+# GH #175: type_all_string must not interfere with
allow_blessed/convert_blessed
+{
+ package TO_JSON_Obj;
+ sub new { bless { x => 1 }, shift }
+ sub TO_JSON { return { from_to_json => 1 } }
+}
+my $obj = bless {}, "SomeClass";
+my $toj = TO_JSON_Obj->new;
+
+# allow_blessed + type_all_string: blessed -> null (unquoted)
+my $ab = Cpanel::JSON::XS->new->canonical->allow_blessed->type_all_string;
+is($ab->encode({ num => 42, obj => $obj }), '{"num":"42","obj":null}',
+ 'allow_blessed + type_all_string: blessed becomes null');
+
+# allow_blessed + convert_blessed + type_all_string (OP scenario)
+my $both =
Cpanel::JSON::XS->new->canonical->allow_blessed->convert_blessed->type_all_string;
+is($both->encode({ num => 42, obj => $obj }), '{"num":"42","obj":null}',
+ 'allow_blessed + convert_blessed + type_all_string');
+
+# convert_blessed + type_all_string with TO_JSON: TO_JSON result is stringified
+my $conv = Cpanel::JSON::XS->new->canonical->convert_blessed->type_all_string;
+is($conv->encode({ num => 42, obj => $toj }),
'{"num":"42","obj":{"from_to_json":"1"}}',
+ 'convert_blessed + type_all_string: TO_JSON values get stringified');
+
+# numbers still stringified with allow_blessed + type_all_string
+is($ab->encode([ 1, Cpanel::JSON::XS::true, Cpanel::JSON::XS::false, 0.5 ]),
'["1","true","false","0.5"]',
+ 'numbers and booleans still stringified with allow_blessed');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/122_type_encode.t
new/Cpanel-JSON-XS-4.42/t/122_type_encode.t
--- old/Cpanel-JSON-XS-4.41/t/122_type_encode.t 1970-01-01 01:00:00.000000000
+0100
+++ new/Cpanel-JSON-XS-4.42/t/122_type_encode.t 2026-06-06 15:29:25.000000000
+0200
@@ -0,0 +1,76 @@
+use strict;
+use warnings;
+
+use Cpanel::JSON::XS;
+use Cpanel::JSON::XS::Type;
+
+use Test::More tests => 24;
+
+# GH #240: encode with type_spec must not modify the type_spec hash
+
+my $cjson = Cpanel::JSON::XS->new->utf8->canonical;
+
+# Basic: type_spec is unchanged after a single encode
+{
+ my $type_spec = { a => JSON_TYPE_STRING_OR_NULL, b => JSON_TYPE_INT };
+ my $orig_a = $type_spec->{a};
+ my $orig_b = $type_spec->{b};
+
+ $cjson->encode({ a => "hello", b => 1 }, $type_spec);
+
+ is($type_spec->{a}, $orig_a, 'type_spec->{a} unchanged after encode
(non-null)');
+ is($type_spec->{b}, $orig_b, 'type_spec->{b} unchanged after encode
(non-null)');
+}
+
+# type_spec unchanged when value is null (undef)
+{
+ my $type_spec = { a => JSON_TYPE_STRING_OR_NULL, b =>
JSON_TYPE_INT_OR_NULL };
+ my $orig_a = $type_spec->{a};
+ my $orig_b = $type_spec->{b};
+
+ $cjson->encode({ a => undef, b => undef }, $type_spec);
+
+ is($type_spec->{a}, $orig_a, 'type_spec->{a} unchanged after encode (null
value)');
+ is($type_spec->{b}, $orig_b, 'type_spec->{b} unchanged after encode (null
value)');
+}
+
+# Loop scenario: multiple encodes with the same type_spec (GH #240 core case)
+{
+ my $type_spec = { a => JSON_TYPE_STRING_OR_NULL, b => JSON_TYPE_INT };
+ my $orig_a = $type_spec->{a};
+ my $orig_b = $type_spec->{b};
+
+ my @rows = (
+ { a => "0.0", b => 1 },
+ { a => undef, b => 2 },
+ { a => "hello", b => 3 },
+ { a => undef, b => 4 },
+ { a => "0.0", b => 5 },
+ );
+
+ my @results;
+ for my $row (@rows) {
+ my $json = eval { $cjson->encode($row, $type_spec) };
+ push @results, $json;
+ is($type_spec->{a}, $orig_a, "type_spec->{a} unchanged after loop
encode");
+ is($type_spec->{b}, $orig_b, "type_spec->{b} unchanged after loop
encode");
+ }
+
+ is($results[0], '{"a":"0.0","b":1}', 'loop encode result 1 correct');
+ is($results[1], '{"a":null,"b":2}', 'loop encode result 2 correct
(null)');
+ is($results[2], '{"a":"hello","b":3}', 'loop encode result 3 correct');
+ is($results[3], '{"a":null,"b":4}', 'loop encode result 4 correct
(null)');
+ is($results[4], '{"a":"0.0","b":5}', 'loop encode result 5 correct');
+}
+
+# type_spec loaded via raw integer values (as if decoded from a JSON config
file)
+{
+ my $type_spec = Cpanel::JSON::XS->new->decode('{"a":260,"b":2}');
+ is($type_spec->{a}, JSON_TYPE_STRING_OR_NULL, 'decoded type value matches
JSON_TYPE_STRING_OR_NULL');
+ is($type_spec->{b}, JSON_TYPE_INT, 'decoded type value matches
JSON_TYPE_INT');
+
+ my $result = $cjson->encode({ a => "test", b => 42 }, $type_spec);
+ is($result, '{"a":"test","b":42}', 'encode with decoded-integer type_spec
works');
+ is($type_spec->{a}, JSON_TYPE_STRING_OR_NULL, 'type_spec unchanged after
encode with decoded-integer types');
+ is($type_spec->{b}, JSON_TYPE_INT, 'type_spec b unchanged after
encode with decoded-integer types');
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/12_blessed.t
new/Cpanel-JSON-XS-4.42/t/12_blessed.t
--- old/Cpanel-JSON-XS-4.41/t/12_blessed.t 2023-06-19 15:23:34.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/12_blessed.t 2026-06-06 15:29:25.000000000
+0200
@@ -60,7 +60,7 @@
$js->allow_blessed->convert_blessed;
ok ($js->encode ($o1) eq '{"__":""}', 'allow_blessed + convert_blessed');
SKIP: {
- skip "5.6", 2 if $[ < 5.008;
+ skip "5.6", 2 if $] < 5.008;
# PP returns null
$r = $js->encode ($o2);
ok ($r eq 'null', "$r");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/14_latin1.t
new/Cpanel-JSON-XS-4.42/t/14_latin1.t
--- old/Cpanel-JSON-XS-4.41/t/14_latin1.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/14_latin1.t 2026-06-06 17:01:47.000000000
+0200
@@ -2,7 +2,7 @@
no utf8;
use Test::More tests => 12;
-my $xs = Cpanel::JSON::XS->new->latin1->allow_nonref;
+my $xs = Cpanel::JSON::XS->new->latin1;
is($xs->encode ("\x{12}\x{89} "), "\"\\u0012\x{89} \"");
is($xs->encode ("\x{12}\x{89}\x{abc}"), "\"\\u0012\x{89}\\u0abc\"");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/15_prefix.t
new/Cpanel-JSON-XS-4.42/t/15_prefix.t
--- old/Cpanel-JSON-XS-4.41/t/15_prefix.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/15_prefix.t 2026-06-06 17:01:47.000000000
+0200
@@ -1,7 +1,7 @@
use Test::More tests => 4;
use Cpanel::JSON::XS;
-my $xs = Cpanel::JSON::XS->new->latin1->allow_nonref;
+my $xs = Cpanel::JSON::XS->new->latin1;
eval { $xs->decode ("[] ") };
ok (!$@);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/18_json_checker.t
new/Cpanel-JSON-XS-4.42/t/18_json_checker.t
--- old/Cpanel-JSON-XS-4.41/t/18_json_checker.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/18_json_checker.t 2026-06-06 17:01:47.000000000
+0200
@@ -10,9 +10,9 @@
use Cpanel::JSON::XS;
exit if $] < 5.008;
-# emulate JSON_checker default config
-my $json = Cpanel::JSON::XS->new->utf8->max_depth(32)->canonical;
-$json = Cpanel::JSON::XS->new->max_depth(32)->canonical if $] < 5.008;
+my $json = Cpanel::JSON::XS->new->allow_nonref(0)->max_depth (32)->max_size
(8192);
+my $json =
Cpanel::JSON::XS->new->allow_nonref(0)->utf8->max_depth(32)->canonical;
+$json = Cpanel::JSON::XS->new->allow_nonref(0)->max_depth(32)->canonical if $]
< 5.008;
binmode DATA;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/19_incr.t
new/Cpanel-JSON-XS-4.42/t/19_incr.t
--- old/Cpanel-JSON-XS-4.41/t/19_incr.t 2026-05-27 20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/t/19_incr.t 2026-06-06 17:01:47.000000000 +0200
@@ -27,8 +27,8 @@
splitter +Cpanel::JSON::XS->new->canonical , '
["x\\"","\\u1000\\\\n\\nx",1,{"\\\\" :5 , "": "x"}]';
splitter +Cpanel::JSON::XS->new->canonical , '[ "x\\"","\\u1000\\\\n\\nx"
, 1,{"\\\\ " :5 , "": " x"} ] ';
}
-splitter +Cpanel::JSON::XS->new->allow_nonref->canonical, '"test"';
-splitter +Cpanel::JSON::XS->new->allow_nonref->canonical, ' "5" ';
+splitter +Cpanel::JSON::XS->new->canonical, '"test"';
+splitter +Cpanel::JSON::XS->new->canonical, ' "5" ';
diag "skip lvalue incr_text for 5.6" if $] < 5.008;
exit if $] < 5.008;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/20_faihu.t
new/Cpanel-JSON-XS-4.42/t/20_faihu.t
--- old/Cpanel-JSON-XS-4.41/t/20_faihu.t 2022-05-03 13:12:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/20_faihu.t 2026-06-06 17:01:47.000000000
+0200
@@ -11,17 +11,17 @@
my ($faihu, $faihu_json, $roundtrip, $js) = "\x{10346}";
-$js = Cpanel::JSON::XS->new->allow_nonref->ascii;
+$js = Cpanel::JSON::XS->new->ascii;
$faihu_json = $js->encode($faihu);
$roundtrip = $js->decode($faihu_json);
is ($roundtrip, $faihu, 'JSON in ASCII roundtrips correctly');
-$js = Cpanel::JSON::XS->new->allow_nonref->utf8;
+$js = Cpanel::JSON::XS->new->utf8;
$faihu_json = $js->encode ($faihu);
$roundtrip = $js->decode ($faihu_json);
is ($roundtrip, $faihu, 'JSON in UTF-8 roundtrips correctly');
-$js = Cpanel::JSON::XS->new->allow_nonref;
+$js = Cpanel::JSON::XS->new;
$faihu_json = encode 'UTF-16BE', $js->encode ($faihu);
$roundtrip = $js->decode( decode 'UTF-16BE', $faihu_json);
is ($roundtrip, $faihu, 'JSON with external recoding roundtrips correctly' );
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/25_boolean.t
new/Cpanel-JSON-XS-4.42/t/25_boolean.t
--- old/Cpanel-JSON-XS-4.41/t/25_boolean.t 2024-07-04 12:49:26.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/25_boolean.t 2026-06-06 17:01:47.000000000
+0200
@@ -1,6 +1,6 @@
use strict;
use constant HAVE_BOOLEANS => ($^V ge v5.36);
-use Test::More tests => 42 + (HAVE_BOOLEANS ? 2 : 0);
+use Test::More tests => 63 + (HAVE_BOOLEANS ? 2 : 0);
use Cpanel::JSON::XS ();
use Config;
@@ -19,7 +19,7 @@
my $true = Cpanel::JSON::XS::true;
my $false = Cpanel::JSON::XS::false;
-my $nonref_cjson = Cpanel::JSON::XS->new->allow_nonref;
+my $nonref_cjson = Cpanel::JSON::XS->new;
my $unblessed_bool_cjson = Cpanel::JSON::XS->new->unblessed_bool;
# from JSON::MaybeXS
@@ -127,6 +127,34 @@
ok eval { $js->[0] = "new value 0" }, "decoded 'true' is modifiable" or
diag($@);
ok eval { $js->[1] = "new value 1" }, "decoded 'false' is modifiable" or
diag($@);
+
+# GH #207: boolean eq/ne must not match undef (which stringifies to "")
+# NOTE: we intentionally differ from JSON::PP by accepting "false" and ""
+# as eq to false, and "true" as eq to true (semantic boolean matching).
+ok(!($false eq undef), 'false ne undef via eq'); # the bug fix
+ok(!($true eq undef), 'true ne undef via eq');
+ok( $false eq "", q{false eq "" via eq}); # intentional: !!0 /
SV_NO
+ok( $false eq "false", q{false eq "false" via eq}); # intentional:
semantic
+ok( $true eq "true", q{true eq "true" via eq}); # intentional:
semantic
+ok( $true ne "", q{true ne "" via eq});
+ok( $false eq 0, 'false eq 0 via eq');
+ok( $false eq "0", q{false eq "0" via eq});
+ok( $true eq 1, 'true eq 1 via eq');
+ok( $true eq "1", q{true eq "1" via eq});
+ok( $false eq !!0, 'false eq !!0 (SV_NO) via eq'); # intentional
+# ne (must be consistent with eq)
+ok( $false ne undef, 'false ne undef via ne');
+ok(!($false ne ""), q{false eq "" via ne});
+ok(!($false ne 0), 'false eq 0 via ne');
+# cmp must agree with eq for the undef case (GH #207)
+is($false cmp undef, 1, 'false cmp undef -> 1 (ne)');
+is($false cmp "", 1, q{false cmp "" -> 1 (ne, but eq is true)});
+is($false cmp 0, 0, 'false cmp 0 -> 0 (eq)');
+# boolean-to-boolean eq
+ok( $false eq $false, 'false eq false');
+ok( $true eq $true, 'true eq true');
+ok(!($false eq $true), 'false ne true');
+ok(!($true eq $false), 'true ne false');
if(HAVE_BOOLEANS) {
no if HAVE_BOOLEANS, warnings => "experimental::builtin";
is($cjson->encode({t => builtin::true}), q({"t":true}),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/30_jsonspec.t
new/Cpanel-JSON-XS-4.42/t/30_jsonspec.t
--- old/Cpanel-JSON-XS-4.41/t/30_jsonspec.t 2024-12-12 21:55:54.000000000
+0100
+++ new/Cpanel-JSON-XS-4.42/t/30_jsonspec.t 2026-06-06 17:01:47.000000000
+0200
@@ -5,8 +5,8 @@
BEGIN {
require Encode if $] >= 5.008 && $] < 5.020; # Currently required for <5.20
}
-my $json = Cpanel::JSON::XS->new->utf8->allow_nonref;
-my $relaxed = Cpanel::JSON::XS->new->utf8->allow_nonref->relaxed;
+my $json = Cpanel::JSON::XS->new->utf8;
+my $relaxed = Cpanel::JSON::XS->new->utf8->relaxed;
# fixme:
# done:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/31_bom.t
new/Cpanel-JSON-XS-4.42/t/31_bom.t
--- old/Cpanel-JSON-XS-4.41/t/31_bom.t 2026-05-27 20:00:10.000000000 +0200
+++ new/Cpanel-JSON-XS-4.42/t/31_bom.t 2026-06-06 17:01:47.000000000 +0200
@@ -8,7 +8,7 @@
use charnames qw(:short);
use utf8;
-my $json = Cpanel::JSON::XS->new->utf8->allow_nonref;
+my $json = Cpanel::JSON::XS->new->utf8;
# parser need to succeed, result should be valid
sub y_pass {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/52_object.t
new/Cpanel-JSON-XS-4.42/t/52_object.t
--- old/Cpanel-JSON-XS-4.41/t/52_object.t 2022-05-03 13:12:46.000000000
+0200
+++ new/Cpanel-JSON-XS-4.42/t/52_object.t 2026-06-06 17:01:47.000000000
+0200
@@ -3,7 +3,7 @@
use Cpanel::JSON::XS;
-$json = Cpanel::JSON::XS->new->convert_blessed->allow_tags->allow_nonref;
+$json = Cpanel::JSON::XS->new->convert_blessed->allow_tags;
print "ok 1\n";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Cpanel-JSON-XS-4.41/t/54_stringify.t
new/Cpanel-JSON-XS-4.42/t/54_stringify.t
--- old/Cpanel-JSON-XS-4.41/t/54_stringify.t 2023-03-13 15:21:59.000000000
+0100
+++ new/Cpanel-JSON-XS-4.42/t/54_stringify.t 2026-06-06 17:01:47.000000000
+0200
@@ -10,7 +10,7 @@
or plan skip_all => 'JSON 2.09 required for cross testing';
$ENV{PERL_JSON_BACKEND} = 'JSON::PP';
}
-plan $] < 5.008 ? (skip_all => "5.6 no AMG yet") : (tests => 19);
+plan $] < 5.008 ? (skip_all => "5.6 no AMG yet") : (tests => 21);
use Cpanel::JSON::XS;
my $time = localtime;
@@ -85,3 +85,18 @@
my $data = {nick => bless({}, 'BoolTestOk')};
is( $json->convert_blessed->allow_blessed->encode($data), '{"nick":"1"}', 'GH
#124' );
+# GH #128: recursion via "" overload must not crash
+# (guard requires AMG_CALLunary, Perl 5.14+)
+SKIP: {
+ skip "GH #128 guard needs Perl 5.14+", 2 if $] < 5.014;
+ my $j = Cpanel::JSON::XS->new;
+ {
+ package StringifiyRec;
+ use overload '""' => sub { $j->encode($_[0]) };
+ }
+ my $data = bless [], 'StringifiyRec';
+ my $result = eval { $j->convert_blessed->allow_blessed->encode($data) };
+ ok(!$@, 'GH #128: recursion via "" overload does not crash')
+ or diag "Error: $@";
+ is($result, '"null"', 'GH #128: recursion returns null from allow_blessed');
+}
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.zEmw9q/_old 2026-06-10 16:18:51.060613329 +0200
+++ /var/tmp/diff_new_pack.zEmw9q/_new 2026-06-10 16:18:51.064613495 +0200
@@ -1,6 +1,6 @@
-mtime: 1780497518
-commit: 3024bba776fbad22de0275bffc349ada253df7bec91007e892dd5eb7cf7772e7
+mtime: 1780912543
+commit: 8012fc8490d5638fbac6d0d6c00c04da0dc8dcefcb102980b22914dd62bb719e
url: https://src.opensuse.org/perl/perl-Cpanel-JSON-XS
-revision: 3024bba776fbad22de0275bffc349ada253df7bec91007e892dd5eb7cf7772e7
+revision: 8012fc8490d5638fbac6d0d6c00c04da0dc8dcefcb102980b22914dd62bb719e
projectscmsync: https://src.opensuse.org/perl/_ObsPrj
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-08 11:55:43.000000000 +0200
@@ -0,0 +1 @@
+.osc
