decode doesn't properly handle escaped slashes ("\/")

Bug #1487243 reported by klauss on 2015-08-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cjson (Ubuntu)

Bug Description

According to the json specs, slashes can be encoded by using the escaped sequence \/ - but PyString_DecodeEscape doesn't handle that particular escape sequence, so valid json is decoded incorrectly.

Just try:

>>> import cjson, json
>>> cjson.decode(r'{"a":"image\/jpeg"}')
{'a': 'image\\/jpeg'}
>>> json.loads(r'{"a":"image\/jpeg"}')
{u'a': u'image/jpeg'}

The attached patch solves the issue efficiently for strings shorter than 16K (a safety thing, we don't want huge arrays in the stack, and our own use of cjson rarely ever handles strings longer than that). It won't die on strings larger than 16K (simply not decode the slashes), so I believe it's safe enough.

It would be simple enough to provide a path for the case of strings longer than 16K by using malloc instead of alloca in those particular cases. The trick would lie in making sure there was no memory leak in that case.

The attachment "Manually decode \/ prior to building a string with PyString_X()" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers