Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-5072: disallow nested object/array keys & detect embedded \0 #1

Merged
merged 2 commits into from
Apr 1, 2024
Merged

CVE-2023-5072: disallow nested object/array keys & detect embedded \0 #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bf3a2ff
Disallow nested objects and arrays as keys in objects
claireagordon Mar 26, 2024
4fa27f1
JSON parsing should detect embedded \0 values
claireagordon Mar 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions org/json/JSONObject.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,8 +187,7 @@ public JSONObject(JSONTokener x) throws JSONException {
case '}':
return;
default:
x.back();
key = x.nextValue().toString();
key = x.nextSimpleValue(c).toString();
}

/*
Expand All @@ -215,6 +214,9 @@ public JSONObject(JSONTokener x) throws JSONException {
if (x.nextClean() == '}') {
return;
}
if (x.end()) {
throw x.syntaxError("A JSONObject text must end with '}'");
}
x.back();
break;
case '}':
Expand Down
55 changes: 29 additions & 26 deletions org/json/JSONTokener.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ of this software and associated documentation files (the "Software"), to deal
public class JSONTokener {

private int index;
private boolean eof;
private Reader reader;
private char lastChar;
private boolean useLastChar;
Expand All @@ -50,6 +51,7 @@ public class JSONTokener {
* @param reader A reader.
*/
public JSONTokener(Reader reader) {
this.eof = false;
this.reader = reader.markSupported() ?
reader : new BufferedReader(reader);
this.useLastChar = false;
Expand Down Expand Up @@ -78,6 +80,7 @@ public void back() throws JSONException {
}
index -= 1;
useLastChar = true;
this.eof = false;
}


Expand All @@ -101,15 +104,19 @@ public static int dehexchar(char c) {
return -1;
}

public boolean end() {
return eof && !useLastChar;
}


/**
* Determine if the source string still contains characters that next()
* can consume.
* @return true if not yet at the end of the source.
*/
public boolean more() throws JSONException {
char nextChar = next();
if (nextChar == 0) {
next();
if (end()) {
return false;
}
back();
Expand Down Expand Up @@ -138,6 +145,7 @@ public char next() throws JSONException {
}

if (c <= 0) { // End of stream
this.eof = true;
this.lastChar = 0;
return 0;
}
Expand Down Expand Up @@ -181,27 +189,13 @@ public String next(int n) throws JSONException {
char[] buffer = new char[n];
int pos = 0;

if (this.useLastChar) {
this.useLastChar = false;
buffer[0] = this.lastChar;
pos = 1;
}

try {
int len;
while ((pos < n) && ((len = reader.read(buffer, pos, n - pos)) != -1)) {
pos += len;
while (pos < n) {
buffer[pos] = this.next();
if (this.end()) {
throw this.syntaxError("Substring bounds error");
}
} catch (IOException exc) {
throw new JSONException(exc);
}
this.index += pos;

if (pos < n) {
throw syntaxError("Substring bounds error");
pos += 1;
}

this.lastChar = buffer[n - 1];
return new String(buffer);
}

Expand Down Expand Up @@ -363,12 +357,8 @@ public String nextTo(String delimiters) throws JSONException {
*/
public Object nextValue() throws JSONException {
char c = nextClean();
String s;

switch (c) {
case '"':
case '\'':
return nextString(c);
case '{':
back();
return new JSONObject(this);
Expand All @@ -377,6 +367,17 @@ public Object nextValue() throws JSONException {
back();
return new JSONArray(this);
}
return nextSimpleValue(c);
}

Object nextSimpleValue(char c) throws JSONException {
String s;

switch (c) {
case '"':
case '\'':
return this.nextString(c);
}

/*
* Handle unquoted text. This could be the values true, false, or
Expand All @@ -393,7 +394,9 @@ public Object nextValue() throws JSONException {
sb.append(c);
c = next();
}
back();
if (!this.eof) {
back();
}

/*
* If it is true, false, or null, return the proper value.
Expand Down