Attackers do not stick to the rules. It sounds to me like one of the security considerations for any standard that employs json, or any other structured data language, is to ensure that the input is validated to be compliant. I have been in the position of trying to enforce type checking on experienced dev teams and been told that type checking should happen before they get the data.
thx ..Tom (mobile) On Tue, Oct 3, 2023, 8:02 AM Watson Ladd <watsonbl...@gmail.com> wrote: > On Mon, Oct 2, 2023, 11:56 PM Denis <denis.i...@free.fr> wrote: > > > > Hi Justin, > > > > Your premise relies on a feature of JSON that does not exist. JSON does > not provide well-defined behavior for repeated names within an object: > > > > When the names within an object are not > > unique, the behavior of software that receives such an object is > > unpredictable. > > > > You should also cite the next two sentences which are: > > > > Many implementations report the last name/value pair only. Other > implementations report an error or fail > > to parse the object, and some implementations report all of the > name/value pairs, including duplicates. > > > > A specification might require to use implementations that report all of > the name/value pairs, including duplicates. > > That's not sticking to JSON semantics. Extending JSON to be a > multifunction or worse a sequence of key value pairs changes the > semantics. If you use JSON stick to RFC 8259 as it interoperates not > gratuitously cause problems. > > Justin is right. > > Sincerely, > Watson Ladd > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
