depth limit of 400 when parsing JSON ! Why?

[mamtananavati]

Why was the depth limit set to 400 and is there a way to override this?

[hezhangjian]

Thanks for your reply, let me take a look this weekend

[ewoelfel]

I guess the limitation was done due to this CVE the error was found under Jfrog.

So it seems to be necessary, however a patch version upgrade would not be sufficient for this breaking change imho.

This is also related to the issue #132

[hezhangjian]

I think #133 can close this issue. Feel free to reopen it.

[ColdFireIce]

As I agree, that 400 should be enough depth, the argument still stands.
Shouldn't there be an option to override this default value?

[hezhangjian]

@ColdFireIce I think it was hard coded to fix security problems. It's reasonable for users to override this default value

[hezhangjian]

@ColdFireIce Since depth 400 is enough for mostly scenario. And now we only have one int param(premissive). I believe it can be scheduled in future version.

[UrielCh]

V2.4.10 is released.

wait for confirmation before closing the issue.

[ColdFireIce]

Thank you for the release. But this issue does not relate to the Problem in #132.
This issue here asks for a feature in the future to override the default value for the call-depth.

[UrielCh]

Okay, please provide me a case where anyone needs more than 400 call-depth.

If you find one we can add an argument to customize this limit.