W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2016

Precision of numbers using JSON Header Field Values

From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 15 Jul 2016 13:13:31 +0900
Message-ID: <CANatvzwDMF50KcFGR72SUtLCJc6fqJJ2pZaCOK9qv2RK5vZ+=g@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Hello,

I have a question about how numbers are going to be handled using JSON
Header Field Values.

In section 6.1, the draft uses Content-Length header as an example,
and states that in case the header is to be represented using JSON,
the definition should "restrict all numbers to be non-negative
integers without fractions."

Does this mean that numbers should not be expressed using the
exponential notation (which would mean that we would be adding a
restriction to JSON encoder / parser), or does it mean that we should
validate the number _after_ parsing it using method defined in RFC
7159?

The reason I ask is because RFC 7159 does not define the precision of
numbers, and in some cases existing JSON decoders disagree in how the
number expressions are parsed.

For example, using node.js v.6.2.1,
0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100e400
is evaluated as 100. OTOH, using ruby 2.0.0, the same expression is
interpreted as zero.
(please refer to
https://gist.github.com/kazuho/7e72372111fa0655692d9e44be70c7ea for
the full output)

IMO such disagreement is a mine of vulnerabilities.  For example in
case of HTTP/1.1, it could lead to HTTP response splitting.

So personally, I think we should forbid the use of exponential
notation at least in some cases, but I wonder if adding such
restriction is intended or aligns with the motive to use an existing
notation for HTTP headers.

-- 
Kazuho Oku
Received on Friday, 15 July 2016 04:13:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 15 July 2016 04:14:03 UTC