Hi Alan
Alan Kennedy wrote:
Well, the python JSON codec provided appears to use eval, which might make it *seem* unsecure.
http://www.json-rpc.org/pyjsonrpc/index.xhtml
But a more detailed examination of the code indicates, to this reader at least, that it can be made completely secure very easily. The designer of the code could very easily have not used eval, and possibly didn't do so simply because he wasn't thinking in security terms.
[...]
Very interesting indeed.
So I don't think there any serious security issues here: the "simplicity" of the JSON grammar is what attracted me to it in the first place, especially since there are already robust and efficient lexers and parsers already available built-in to python and javascript (and javascript interpreters are getting pretty ubiquitous these days).
The cross-platform/language aspect is quite nice indeed.
And it's certainly the case that if the only available python impl of JSON/RPC is not secure, it is possible to write one that is both efficient and secure.
I think we (?) should do this then, and send it to the author of the original version so that he can make an improved version available? I think there are more people interested in a secure marshaling implementation than just me :)
I'll still have to look at Twisted's Jelly.
Thanks for your analysis, --Irmen -- http://mail.python.org/mailman/listinfo/python-list
