-
Notifications
You must be signed in to change notification settings - Fork 107
Unexpected parsing error in json module
-
Affected Components : json
-
Operating System : Linux
-
Python Versions : 2.6.x, 2.7.x, 3.1.x, 3.2.x
-
Reproducible : Yes
import sys
import json
try:
b = json.loads('42')
print ("JSON LOADS STRING %r") % (b,)
except Exception:
print "JSON UNABLE TO LOAD STRING"
try:
c = json.dumps(int(3.141592))
print ("JSON LOADS INTEGER %r") % (c,)
except Exception:
print "JSON UNABLE TO LOAD INTEGER"
try:
d = json.dumps(float(3.141592))
print ("JSON LOADS FLOAT %r") % (d,)
except Exception:
print "JSON UNABLE TO LOAD FLOAT"
try:
e = json.dumps(complex(3.141592))
print ("JSON LOADS COMPLEX! %r") % (e,)
except Exception:
print "JSON UNABLE TO LOAD COMPLEX"
try:
f = json.dumps([[3], [5], [7]])
print ("JSON LOADS LIST! %r") % (f,)
except Exception:
print "JSON UNABLE TO LOAD LIST"
try:
g = json.dumps({ 'abc': 456 })
print ("JSON LOADS DICTIONARY! %r") % (g,)
except Exception:
print "JSON UNABLE TO LOAD DICTIONARY"
try:
h = json.dumps(bytearray("hello"))
print ("JSON LOADS BYTEARRAY! %r") % (h,)
except Exception:
print "JSON UNABLE TO LOAD BYTEARRAY"
sys.exit(0)To reproduce the problem copy the source code in a file and execute the script using the following command syntax:
$ python -OOBRtt test.pyAlternatively you can open python in interactive mode:
$ python -OOBRtt <press enter>Then copy the lines of code into the interpreter.
According to rfc4627 a JSON object is either a list or a dictionary with other elements in it.
However
Execution of the test script produces the following output.
JSON LOADS STRING 42
JSON LOADS INTEGER '3'
JSON LOADS FLOAT '3.141592'
JSON UNABLE TO LOAD COMPLEX
JSON LOADS LIST! '[[3], [5], [7]]'
JSON LOADS TUPLE! '[1, 2, 3]'
JSON LOADS DICTIONARY! '{"abc": 456}'
JSON UNABLE TO LOAD BYTEARRAY
The expected behaviour for json module would be to load only lists and dictionaries but Python's implementation took liberty to parse also basic types, like integers, strings, floats, etc.
JSON LOADS LIST! '[[3], [5], [7]]'
JSON LOADS DICTIONARY! '{"abc": 456}'
JSON UNABLE TO LOAD BYTEARRAY
JSON UNABLE TO LOAD COMPLEX
JSON LOADS STRING 42
JSON LOADS INTEGER '3'
JSON LOADS FLOAT '3.141592'
JSON LOADS TUPLE! '[1, 2, 3]'
To note that a new RFC has been proposed that would relax the requirements to make them more similar to what is the de-facto standard json implementation used in common web browsers.
The new superseding JSON RFC can be found at the link:
https://tools.ietf.org/html/rfc7159
The errata to the new RFC at this link:
http://www.rfc-editor.org/errata_search.php?rfc=7159
And the reference standard "ECMA-404" at the link:
http://www.ecma-international.org/publications/standards/Ecma-404.htm
We are not aware on any easy solution other than trying to avoid using 'json' in cases like the one examined.
[Python json module][01] [01]:https://docs.python.org/2/library/json.html
[RFC 4627][02] [02]:http://www.ietf.org/rfc/rfc4627.txt
[RFC 7159][03] [03]:https://tools.ietf.org/html/rfc7159
[RFC 7159 Errata][04] [04]:http://www.rfc-editor.org/errata_search.php?rfc=7159
[Standard ECMA-404][05] [05]:http://www.ecma-international.org/publications/standards/Ecma-404.htm
[Python bug 13212][06] [06]:http://bugs.python.org/issue13212
[Python bug 21514][07] [07]:http://bugs.python.org/issue21514
Main site: pythonsecurity.org
OWASP Page: owasp.org/index.php/OWASP_Python_Security_Project