Bug#878091: jq: accepts invalid JSON

2022-07-07 Thread Thorsten Glaser 
Package: jq
Version: 1.6-2.1
Followup-For: Bug #878091
X-Debbugs-Cc: t...@mirbsd.de

Still pertinent in latest version:

$ echo '[.1,0.2]' | jq -c .
[0.1,0.2]



-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages jq depends on:
ii  libc6   2.31-13+deb11u3
ii  libjq1  1.6-2.1

jq recommends no packages.

jq suggests no packages.

-- no debconf information

Bug#878091: jq: accepts invalid JSON

2022-07-07 Thread Thorsten Glaser 
Package: jq
Version: 1.5+dfsg-2+b1
Followup-For: Bug #878091

Same:

$ echo '[.1,0.2]' | jq -c .
[0.1,0.2]

With no flag to turn this off, I’d almost consider this serious.

-- System Information:
Debian Release: 10.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-0.bpo.15-amd64 (SMP w/3 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages jq depends on:
ii  libc6 2.28-10+deb10u1
ii  libjq11.5+dfsg-2+b1
ii  libonig5  6.9.1-1

jq recommends no packages.

jq suggests no packages.

-- no debconf information

Bug#878091: jq: accepts invalid JSON

2019-10-09 Thread 陳昌倬 
Control: forwarded -1 https://github.com/stedolan/jq/issues/1404


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B


signature.asc
Description: PGP signature

Bug#878091: jq: accepts invalid JSON

2017-10-09 Thread Thorsten Glaser 
Package: jq
Version: 1.5+dfsg-2
Severity: important
Tags: upstream

jq silently accepts illegal JSON:

tglase@tglase:~ $ jq <<<'[0,01,2]'
[
  0,
  1,
  2
]
tglase@tglase:~ $ jsn <<<'[0,01,2]'
JSON decoding of input failed: {
  "input": "[0,01,2]\n",
  "message": "missing comma in Array at offset 0x4"
}

A Number may not have a leading zero. Secondary reference:
http://www.json.org/JSON_checker/test.zip

-- System Information:
Debian Release: buster/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages jq depends on:
ii  libc6 2.24-17
ii  libjq11.5+dfsg-2
ii  libonig4  6.6.1-1

jq recommends no packages.

jq suggests no packages.

-- no debconf information