incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Becky Gibson (Commented) (JIRA)" <>
Subject [jira] [Commented] (CB-192) Plugins fail silently when string argument contains \x00 charachters
Date Mon, 23 Jan 2012 19:23:40 GMT


Becky Gibson commented on CB-192:

It is the nature of the JSON library that is now being used in Cordova to not support embedded


   "An exception is made for the code point U+0000, which is legal Unicode. The reason for
this is that this particular code point is used by C string handling code to specify the end
of the string, and any such string handling code will incorrectly stop processing a string
at the point where U+0000 occurs. Although reasonable people may have different opinions on
this point, it is the authors considered opinion that the risks of permitting JSON Strings
that contain U+0000 outweigh the benefits. One of the risks in allowing U+0000 to appear unaltered
in a string is that it has the potential to create security problems by subtly altering the
semantics of the string which can then be exploited by a malicious attacker. This is similar
to the issue of arbitrarily deleting characters from Unicode text."

And discuss in this ticket for the JSONKit library:

> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>                 Key: CB-192
>                 URL:
>             Project: Apache Callback
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 1.3.0
>         Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
>            Reporter: Derek Jensen
>            Assignee: Shazron Abdullah
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c
> is never called.  To see this in action, try console.log("foo\x00");

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message