Implement recommended fixes from OSTIF audit #313
Merged
+252
−160
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…hon implementations
* Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107)
This was referenced Apr 6, 2023
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Apr 7, 2023
Version 3.19.1 released 2023-04-06 * This release contains security hardening measures based on recommendations by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. Several of these measures include changing defaults to be more strict, by default simplejson will now only consume and produce compliant JSON, but the flags still exist for any backwards compatibility needs. No high priority issues were discovered, the reference count leak is thought to be unreachable since the digits of the float are checked before PyOS_string_to_double is called. A link to the public version of this report will be included in a future release of simplejson. The following fixes were implemented in one PR: simplejson/simplejson#313 * Fix invalid handling of unicode escape sequences in the pure Python implementation of the decoder (SJ-PT-23-01) * Fix missing reference count decrease if PyOS_string_to_double raises an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) * Backport the integer string length limitation from Python 3.11 to limit quadratic number parsing (SJ-PT-23-03) * Fix inconsistencies with error messages between the C and Python implementations (SJ-PT-23-100) * Remove unused unichr import from encoder (SJ-PT-23-101) * Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107)
This was referenced Apr 8, 2023
kraj
pushed a commit
to YoeDistro/meta-openembedded
that referenced
this pull request
Apr 10, 2023
Changelog: ============ * This release contains security hardening measures based on recommendations by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. Several of these measures include changing defaults to be more strict, by default simplejson will now only consume and produce compliant JSON, but the flags still exist for any backwards compatibility needs. No high priority issues were discovered, the reference count leak is thought to be unreachable since the digits of the float are checked before PyOS_string_to_double is called. A link to the public version of this report will be included in a future release of simplejson. The following fixes were implemented in one PR: simplejson/simplejson#313 * Fix invalid handling of unicode escape sequences in the pure Python implementation of the decoder (SJ-PT-23-01) * Fix missing reference count decrease if PyOS_string_to_double raises an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) * Backport the integer string length limitation from Python 3.11 to limit quadratic number parsing (SJ-PT-23-03) * Fix inconsistencies with error messages between the C and Python implementations (SJ-PT-23-100) * Remove unused unichr import from encoder (SJ-PT-23-101) * Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107) Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]>
1 task
1 task
1 task
Closed
1 task
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement security hardening measures based on a source code audit of simplejson 3.18.4 by X41 D-Sec GmbH and sponsored by the OSTIF.
implementation of the decoder (SJ-PT-23-01)
an exception in Python 2.x; was probably unreachable (SJ-PT-23-02)
limit quadratic number parsing (SJ-PT-23-03)
implementations (SJ-PT-23-100)
simplejson.load (SJ-PT-23-102)
to decoder (SJ-PT-23-107)
Several suggested improvements were not implemented in this release and will be considered in the future:
*. I did not enable a branch protection rule to require all commits to be signed since that would prevent accepting third party contributions without first rebasing myself.The full public report is available here: https://www.x41-dsec.de/static/reports/X41-OSTIF-simplejson-CodeRview-2023-04-18.pdf
See also: