[jira] [Commented] (CONFIGURATION-258) JSON configuration

Joerg Schaible (JIRA) Wed, 19 Apr 2017 10:38:56 -0700

    [ 
https://issues.apache.org/jira/browse/CONFIGURATION-258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15975144#comment-15975144
 ]


Joerg Schaible commented on CONFIGURATION-258:
----------------------------------------------

Usage of the JavaScript interpreter is a bad idea, because it's evaluation not 
limited to JSON, but will evaluate any kind of JavaScript expression opening 
even security issues:

{code:javascript}
{
   "regexp": /foo/,
   "oops": new java.lang.ProcessBuilder(new java.lang.String("notepad.exe"), 
new java.lang.String("c:\\boot.ini")).start()
}
{code}

Not sure, if I got it right directly by heart, but you get the idea. A real 
JSON parser does not allow this at all.

> JSON configuration
> ------------------
>
>                 Key: CONFIGURATION-258
>                 URL: https://issues.apache.org/jira/browse/CONFIGURATION-258
>             Project: Commons Configuration
>          Issue Type: New Feature
>          Components: Format
>    Affects Versions: 1.3
>            Reporter: Antonio López-Cerón Vivo
>            Priority: Minor
>             Fix For: 2.x
>
>
> JSON  is a lightweight data-interchange format
> {code}
> {"menu": {
>   "id": "file",
>   "value": "File",
>   "popup": {
>     "menuitem": [
>       {"value": "New", "onclick": "CreateNewDoc()"},
>       {"value": "Open", "onclick": "OpenDoc()"},
>       {"value": "Close", "onclick": "CloseDoc()"}
>     ]
>   }
> }}
> {code}
> All references can be located at
> http://www.json.org/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CONFIGURATION-258) JSON configuration

Reply via email to