On May 1, 4:49 pm, "Bob Ippolito" <[EMAIL PROTECTED]> wrote: > > Will there be a fix forhttp://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 > > in the 1.3.1 branch? > > Nope. It's not a real security issue, not with MochiKit anyway. The > recommended "fix" would mean supporting some junk that's not JSON > anymore. I've already caved and put said support on the trunk just so > people would shut up about the issue, but I'm certainly not going to > make a maintenance release to "fix" this non-issue. > > Ensuring that your server only sends JSON when properly authenticated, > or otherwise sending only non-exploitable JSON (e.g. JSON with an > object envelope) is the only solution to this problem. > > Only a very small subset of JSON, specifically [array, envelope, json] > is susceptible to this data leakage attack. Don't send that stuff on > the server-side, and there is no problem. Most people don't send array > envelope JSON anyhow. Either way, totally irrelevant to the > client-side. It's like saying that we should fix browsers so that they > can't be used to mount a SQL injection attack on a poorly written > service.
OK, fair enough. I'm just going through the proper motions to handle a bug report against my package in Fedora (https://bugzilla.redhat.com/ bugzilla/show_bug.cgi?id=238616). Cheers, Konstantin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "MochiKit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~----------~----~----~----~------~----~------~--~---
