View Issue Details

IDProjectCategoryView StatusLast Update
0037841FPCFCLpublic2020-09-29 17:46
ReporterBenito van der Zander Assigned ToMichael Van Canneyt  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Platformamd64OSlinux 
Product Version3.3.1 
Fixed in Version3.3.1 
Summary0037841: json scanner should not allow invalid strings and identifiers
DescriptionJSON does not allow control characters in strings and upper case letters in true/false/null

With this patch it raises an exception on these numbers with joStrict.
TagsNo tags attached.
Fixed in Revision47006
FPCOldBugId
FPCTarget3.2.2
Attached Files

Activities

Benito van der Zander

2020-09-29 17:26

reporter  

stringsandids.patch (2,590 bytes)   
Index: packages/fcl-json/src/jsonscanner.pp
===================================================================
--- packages/fcl-json/src/jsonscanner.pp        (Revision 47001)
+++ packages/fcl-json/src/jsonscanner.pp        (Arbeitskopie)
@@ -373,8 +373,9 @@
             end
           else if u1<>0 then
             MaybeAppendUnicode;
-          if FTokenStr^ = #0 then
-            Error(SErrOpenString,[FCurRow]);
+          if FTokenStr^ < #$20 then
+            if FTokenStr^ = #0 then Error(SErrOpenString,[FCurRow])
+            else if joStrict in Options then Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
           Inc(FTokenStr);
           end;
         if FTokenStr^ = #0 then
@@ -513,6 +531,16 @@
         tstart:=CurRow;
         Tcol:=CurColumn;
         TokenStart := FTokenStr;
+        Result:=tkIdentifier;
+        case TokenStart^ of
+          't': if (TokenStart[1] = 'r') and (TokenStart[2] = 'u') and (TokenStart[3] = 'e') then
+            Result:=tkTrue;
+          'f': if (TokenStart[1] = 'a') and (TokenStart[2] = 'l') and (TokenStart[3] = 's') and (TokenStart[4] = 'e')then
+            Result:=tkFalse;
+          'n': if (TokenStart[1] = 'u') and (TokenStart[2] = 'l') and (TokenStart[3] = 'l') then
+            Result:=tkNull;
+        end;
+        if result <> tkIdentifier then inc(FTokenStr, length(TokenInfos[result]) - 1);
         repeat
           Inc(FTokenStr);
         until not (FTokenStr^ in ['A'..'Z', 'a'..'z', '0'..'9', '_']);
@@ -519,17 +547,17 @@
         SectionLength := FTokenStr - TokenStart;
         FCurTokenString:='';
         SetString(FCurTokenString, TokenStart, SectionLength);
-        for it := tkTrue to tkNull do
-          if CompareText(CurTokenString, TokenInfos[it]) = 0 then
-            begin
-            Result := it;
-            FCurToken := Result;
-            exit;
-            end;
-        if (joStrict in Options) then
-          Error(SErrInvalidCharacter, [tStart,tcol,TokenStart[0]])
-        else
-          Result:=tkIdentifier;
+        if (result = tkIdentifier) or (SectionLength <> length(TokenInfos[result])) then begin
+          if (joStrict in Options) then
+            Error(SErrInvalidCharacter, [tStart,tcol,TokenStart[0]]);
+          for it := tkTrue to tkNull do
+            if CompareText(CurTokenString, TokenInfos[it]) = 0 then
+              begin
+              Result := it;
+              FCurToken := Result;
+              exit;
+              end;
+        end;
       end;
   else
     Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
stringsandids.patch (2,590 bytes)   

Michael Van Canneyt

2020-09-29 17:46

administrator   ~0125964

Applied, thanks for the patch.

Issue History

Date Modified Username Field Change
2020-09-29 17:26 Benito van der Zander New Issue
2020-09-29 17:26 Benito van der Zander File Added: stringsandids.patch
2020-09-29 17:46 Michael Van Canneyt Assigned To => Michael Van Canneyt
2020-09-29 17:46 Michael Van Canneyt Status new => resolved
2020-09-29 17:46 Michael Van Canneyt Resolution open => fixed
2020-09-29 17:46 Michael Van Canneyt Fixed in Version => 3.3.1
2020-09-29 17:46 Michael Van Canneyt Fixed in Revision => 47006
2020-09-29 17:46 Michael Van Canneyt FPCTarget => 3.2.2
2020-09-29 17:46 Michael Van Canneyt Note Added: 0125964