You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by "Derek Jensen (Created) (JIRA)" <ji...@apache.org> on 2012/01/20 22:40:39 UTC
[jira] [Created] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Plugins fail silently when string argument contains \x00 charachters
--------------------------------------------------------------------
Key: CB-192
URL: https://issues.apache.org/jira/browse/CB-192
Project: Apache Callback
Issue Type: Bug
Components: iOS
Affects Versions: 1.3.0
Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
Reporter: Derek Jensen
Assignee: Shazron Abdullah
Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Becky Gibson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191368#comment-13191368 ]
Becky Gibson commented on CB-192:
---------------------------------
It is the nature of the JSON library that is now being used in Cordova to not support embedded nulls.
>From https://github.com/johnezang/JSONKit/blob/master/README.md:
"An exception is made for the code point U+0000, which is legal Unicode. The reason for this is that this particular code point is used by C string handling code to specify the end of the string, and any such string handling code will incorrectly stop processing a string at the point where U+0000 occurs. Although reasonable people may have different opinions on this point, it is the authors considered opinion that the risks of permitting JSON Strings that contain U+0000 outweigh the benefits. One of the risks in allowing U+0000 to appear unaltered in a string is that it has the potential to create security problems by subtly altering the semantics of the string which can then be exploited by a malicious attacker. This is similar to the issue of arbitrarily deleting characters from Unicode text."
And discuss in this ticket for the JSONKit library: https://github.com/johnezang/JSONKit/issues/51
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Filip Maj (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13192285#comment-13192285 ]
Filip Maj commented on CB-192:
------------------------------
I agree with Derek, at the minimum the failure callback should be invoked. Is this possible Becky?
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Derek Jensen (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13192853#comment-13192853 ]
Derek Jensen commented on CB-192:
---------------------------------
On 1.3.0 I can guarantee you that console.log("hello\x00"); fails silently. No log output at all. Likewise ANY plugin that has a string with an imbedded null fails silently. The point is, it's not illegal JSON, so I doubt he throws an error.
Why don't you just change the call to use JKParseOptionLooseUnicode? Then you get the
nulls properly formatted in legal UNICODE and in legal JSON. It's not like the JSON strings are coming from some mystery place. They're always encoded by PhoneGap.exec. Letting JSONKit get past it's own admittedly arbitrary decision on nulls should not hamper us from getting legal decoded strings out of PhoneGap's plugin library.
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Becky Gibson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13192458#comment-13192458 ]
Becky Gibson commented on CB-192:
---------------------------------
FWIW in 1.4 [PGViewController execute]we do log a failure:
NSLog(@"FAILED pluginJSON = %@",commandJson);
It would be more difficult to find and call the error function (if it exists) since the embedded null causes the command to not be parsed. In the case of JSONKit mutableObjectFromJSONString returning null we'd have to parse the command string manually looking for the error callback. Since the error callback parameters to each plugin could be different this doesn't seem practical.
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Shazron Abdullah (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shazron Abdullah resolved CB-192.
---------------------------------
Resolution: Won't Fix
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-192) Plugins fail silently when string
argument contains \x00 charachters
Posted by "Derek Jensen (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191818#comment-13191818 ]
Derek Jensen commented on CB-192:
---------------------------------
Thats fine if you don't want to support it, however you may find that regressive functionality is not particularly good coding practice. In other words, it used to work, and now it doesn't.
The rationale presented here is weak, considering Objective-C NSString class has no problem with imbedded nulls: It would break Unicode strings if it didn't work. There is no security issue per-se.
My final point is this: it fails SILENTLY. At least output something to the console that tells the developer that you are throwing away a plugin call. It's very hard to debug when it just goes away without a trace. Calling back to the failure function if provided would also be a plus.
> Plugins fail silently when string argument contains \x00 charachters
> --------------------------------------------------------------------
>
> Key: CB-192
> URL: https://issues.apache.org/jira/browse/CB-192
> Project: Apache Callback
> Issue Type: Bug
> Components: iOS
> Affects Versions: 1.3.0
> Environment: Mac OS X Lion, XCode 4.2, Phonegap 1.3.0
> Reporter: Derek Jensen
> Assignee: Shazron Abdullah
>
> Passing an string argument with hex 0 imbedded in it causes the plugin to fail silently.
> While the argument is correctly processed by JSON.stringify(), the plugin objective-c code
> is never called. To see this in action, try console.log("foo\x00");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira