0037841: json scanner should not allow invalid strings and identifiers - Free Pascal/Lazarus Bug Tracker

All Projects FPC fpcprojects fpprofiler fpGUI Lazarus Packages Patches Lazarus CCR Mantis pas2js

ID	Project	Category	View Status	Date Submitted	Last Update

0037841	FPC	FCL	public	2020-09-29 17:26	2020-09-29 17:46

Reporter	Benito van der Zander	Assigned To	Michael Van Canneyt
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Platform	amd64	OS	linux
Product Version	3.3.1
Fixed in Version	3.3.1

Summary	0037841: json scanner should not allow invalid strings and identifiers
Description	JSON does not allow control characters in strings and upper case letters in true/false/null With this patch it raises an exception on these numbers with joStrict.
Tags	No tags attached.

Fixed in Revision	47006
FPCOldBugId
FPCTarget	3.2.2

Attached Files

Benito van der Zander 2020-09-29 17:26 reporter	stringsandids.patch (2,590 bytes) Index: packages/fcl-json/src/jsonscanner.pp =================================================================== --- packages/fcl-json/src/jsonscanner.pp (Revision 47001) +++ packages/fcl-json/src/jsonscanner.pp (Arbeitskopie) @@ -373,8 +373,9 @@ end else if u1<>0 then MaybeAppendUnicode; - if FTokenStr^ = #0 then - Error(SErrOpenString,[FCurRow]); + if FTokenStr^ < #$20 then + if FTokenStr^ = #0 then Error(SErrOpenString,[FCurRow]) + else if joStrict in Options then Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]); Inc(FTokenStr); end; if FTokenStr^ = #0 then @@ -513,6 +531,16 @@ tstart:=CurRow; Tcol:=CurColumn; TokenStart := FTokenStr; + Result:=tkIdentifier; + case TokenStart^ of + 't': if (TokenStart[1] = 'r') and (TokenStart[2] = 'u') and (TokenStart[3] = 'e') then + Result:=tkTrue; + 'f': if (TokenStart[1] = 'a') and (TokenStart[2] = 'l') and (TokenStart[3] = 's') and (TokenStart[4] = 'e')then + Result:=tkFalse; + 'n': if (TokenStart[1] = 'u') and (TokenStart[2] = 'l') and (TokenStart[3] = 'l') then + Result:=tkNull; + end; + if result <> tkIdentifier then inc(FTokenStr, length(TokenInfos[result]) - 1); repeat Inc(FTokenStr); until not (FTokenStr^ in ['A'..'Z', 'a'..'z', '0'..'9', '_']); @@ -519,17 +547,17 @@ SectionLength := FTokenStr - TokenStart; FCurTokenString:=''; SetString(FCurTokenString, TokenStart, SectionLength); - for it := tkTrue to tkNull do - if CompareText(CurTokenString, TokenInfos[it]) = 0 then - begin - Result := it; - FCurToken := Result; - exit; - end; - if (joStrict in Options) then - Error(SErrInvalidCharacter, [tStart,tcol,TokenStart[0]]) - else - Result:=tkIdentifier; + if (result = tkIdentifier) or (SectionLength <> length(TokenInfos[result])) then begin + if (joStrict in Options) then + Error(SErrInvalidCharacter, [tStart,tcol,TokenStart[0]]); + for it := tkTrue to tkNull do + if CompareText(CurTokenString, TokenInfos[it]) = 0 then + begin + Result := it; + FCurToken := Result; + exit; + end; + end; end; else Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]); stringsandids.patch (2,590 bytes)

Michael Van Canneyt 2020-09-29 17:46 administrator ~0125964	Applied, thanks for the patch.

Date Modified	Username	Field	Change
2020-09-29 17:26	Benito van der Zander	New Issue
2020-09-29 17:26	Benito van der Zander	File Added: stringsandids.patch
2020-09-29 17:46	Michael Van Canneyt	Assigned To	=> Michael Van Canneyt
2020-09-29 17:46	Michael Van Canneyt	Status	new => resolved
2020-09-29 17:46	Michael Van Canneyt	Resolution	open => fixed
2020-09-29 17:46	Michael Van Canneyt	Fixed in Version	=> 3.3.1
2020-09-29 17:46	Michael Van Canneyt	Fixed in Revision	=> 47006
2020-09-29 17:46	Michael Van Canneyt	FPCTarget	=> 3.2.2
2020-09-29 17:46	Michael Van Canneyt	Note Added: 0125964