[PATCH] templatefilters: don't escape <> in JSON
Matt Mackall
mpm at selenic.com
Thu Mar 5 12:36:01 CST 2015
On Wed, 2015-03-04 at 15:37 -0800, Pierre-Yves David wrote:
>
> On 01/16/2015 11:24 AM, Gregory Szorc wrote:
> > On 1/16/15 11:20 AM, Matt Mackall wrote:
> >> On Thu, 2015-01-15 at 21:04 -0800, Gregory Szorc wrote:
> >>> # HG changeset patch
> >>> # User Gregory Szorc <gregory.szorc at gmail.com>
> >>> # Date 1421384385 28800
> >>> # Thu Jan 15 20:59:45 2015 -0800
> >>> # Node ID a07b22eefd8e4c629b739778b3ca5f3d53a8b1de
> >>> # Parent 049a9e3a078d7c988cb12ed456aad6ec2779ea69
> >>> templatefilters: don't escape <> in JSON
> >>>
> >>> 55c763926a28 added escaping of "<" and ">" in JSON. I could not find any
> >>> specification claiming that these are special characters that need to be
> >>> escaped. Furthermore, feeding these characters through both Python's and
> >>> SpiderMonkey's JSON serialization API revealed no escaping.
> >>
> >> The original patch was not technically paranoid because I already had an
> >> hgweb exploit. Discovered it somewhere while working through the first
> >> dozen levels of this:
> >>
> >> http://escape.alf.nu/
> >
> > Well, then I argue it's a failure in hgweb to escape content from JSON
> > entities.
> >
> > It would be a general issue if this set of escapes applied to other
> > encoders (like HTML). But I could find no such use.
>
> So, what is the status of this. Matt are you convinced by Greg argument
> (so we take the patch) or should we drop it. If we drop it do we need
> something else?
I dropped it ages ago.
I know there's (multiple) exploits here, so obviously the patch can't go
in by itself.
I also know that the known exploits are not going to be obvious to
future template writers and reviewers, and there are probably some
unknown exploits we'll be defended from as well. As the JSON spec allows
escaping any and all characters, there's really no good argument for
removing the safety net here.
(FWIW, Facebook escapes the letter 'e' in their back-end to make it
dead-obvious if some data path hasn't been sanitized properly.)
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list