Comments (4)
Try upgrading to 1.6.0.
from multi_json.
see this discussion here: flori/json#159
from multi_json.
Is there a distinction in between safe and unsafe methods for JSON deserialisation in MultiJson? The main problem with the recent security problems in Rails seems to be that there is no clear distinction between safe and unsafe interfaces to do this.
There are two major use cases why someone would want to deserialise something:
- Loading for example a configuration or a database record from a trusted source (can be unsafe),
- Parsing a message from a web client, etc., that is an untrusted source (should be very safe, that is prohibiting DOS attacks, injections, etc.).
The problem is how people can be directed to use the safe way when they don't bother thinking about the security implications, while still allowing people to do the unsafe things, if they really want to. The latter way should be cumbersome or deterrent enough, so the former group of people can never coincidentally stumble upon it.
from multi_json.
i think that there is no distinction in MultiJson for this purpose.
our problem is, that we use it talk to our "trusted" couchdb and handle object serialization while it also supports "untrusted" json requests from webclients...
nevertheless, i think that these security updates should manifest in minor or even mayor version updates.
jsongem fix version update from 1.7.6 to 1.7.7 breaks our whole app and there is no way of configuring it to work like before.
the same is true for OJ. MultiJson does not allow :compat
mode, so deserialization is completele disabled:
https://github.com/intridea/multi_json/blob/master/lib/multi_json/adapters/oj.rb#L19
from multi_json.
Related Issues (20)
- SSL Cert has been expired HOT 1
- Memory Leak when upgrading from 1.11.3 to 1.12.0 HOT 7
- Stacktrace when running Scout's Resque Monitoring plugin. HOT 9
- make.exe: *** fatal error in forked process HOT 1
- MultiJSON.load throws JSON::ParserError instead of MultiJSON::ParseError HOT 1
- MultiJSON::ParseError occurs when a type integer property format is invalid HOT 1
- to_json clobbers emoji HOT 1
- Gem won't install because certificate has expired HOT 1
- Oj 3 changes meaning of "indent" in compat mode, leading to a crash with pretty: true HOT 2
- require 'set' in oj adapter HOT 3
- Decode function not working as expected HOT 1
- Incorrect precision on json load HOT 1
- MultiJSON assumes that the JSON ext is loaded if defined?(::JSON::JSON_LOADED) HOT 4
- Support for Simdjson HOT 2
- Where do security issues belong? HOT 3
- Test failures with RSpec 3.10.2 +
- Memory leak with MultiJSON.dump HOT 2
- MultiJson.load('') behavior doesn't match JSON specification HOT 2
- warning: BigDecimal.new is deprecated; use BigDecimal() method instead. in multi_json 1.15.0 HOT 2
- Error when using specific adapter on first calls HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multi_json.