Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python implementation of json.loads() accepts non-ascii digits #125682

Closed
nineteendo opened this issue Oct 18, 2024 · 4 comments
Closed

Python implementation of json.loads() accepts non-ascii digits #125682

nineteendo opened this issue Oct 18, 2024 · 4 comments
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@nineteendo
Copy link
Contributor

nineteendo commented Oct 18, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

You should be careful when matching unicode regexes:

cpython/Lib/json/scanner.py

Lines 11 to 13 in a0f5c8e

NUMBER_RE = re.compile(
r'(-?(?:0|[1-9]\d*))(\.\d+)?([eE][-+]?\d+)?',
(re.VERBOSE | re.MULTILINE | re.DOTALL)) 

>>> import sys
>>> sys.modules["_json"] = None
>>> import json
>>> json.loads("[1\uff10, 0.\uff10, 0e\uff10]")
[10, 0.0, 0.0]

I think it's safer to use [0-9] instead of \d here.

CPython versions tested on:

3.13

Operating systems tested on:

macOS

Linked PRs
@nineteendo nineteendo added the type-bug An unexpected behavior, bug, or error label Oct 18, 2024
@bedevere-app bedevere-app bot mentioned this issue Oct 18, 2024
Merged
@ZeroIntensity
Copy link
Member

Why is this a bug? int and float support this as well:

>>> int("\uff10")
0
>>> float("0e\uff10")
0.0

Arguably, the bug is that the C implementation does not support it.

@taleinat
Copy link
Contributor

This can indeed be considered a bug, since it does not conform to the JSON specification in the standards.

See, for example, Section 6: Numbers in IETF RFC 8259, which clearly defines the supported digits.

@ZeroIntensity ZeroIntensity added stdlib Python modules in the Lib dir 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 18, 2024
@ZeroIntensity
Copy link
Member

Ah, I've applied the appropriate labels. Thank you for clarification :)

@nineteendo nineteendo changed the title Python implementation of json.loads() accepts unicode digits Python implementation of json.loads() accepts non-ascii digits Oct 18, 2024
serhiy-storchaka pushed a commit that referenced this issue Oct 18, 2024
@nineteendo
gh-125682: Reject non-ASCII digits in the Python implementation of JS…
d358425 
…ON decoder (GH-125687)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 18, 2024
@nineteendo @miss-islington
pythongh-125682: Reject non-ASCII digits in the Python implementation…
f0c3392 
… of JSON decoder (pythonGH-125687)

(cherry picked from commit d358425)

Co-authored-by: Nice Zombies <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Oct 18, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 18, 2024
@nineteendo @miss-islington
pythongh-125682: Reject non-ASCII digits in the Python implementation…
090a7c0 
… of JSON decoder (pythonGH-125687)

(cherry picked from commit d358425)

Co-authored-by: Nice Zombies <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Oct 18, 2024
Merged
@hauntsaninja
Copy link
Contributor

Good spot!

serhiy-storchaka pushed a commit that referenced this issue Oct 21, 2024
@miss-islington @nineteendo
[3.12] gh-125682: Reject non-ASCII digits in the Python implementatio…
18196fe 
…n of JSON decoder (GH-125687) (GH-125693)

(cherry picked from commit d358425)

Co-authored-by: Nice Zombies <[email protected]>
serhiy-storchaka pushed a commit that referenced this issue Oct 21, 2024
@miss-islington @nineteendo
[3.13] gh-125682: Reject non-ASCII digits in the Python implementatio…
6715afe 
…n of JSON decoder (GH-125687) (GH-125692)

(cherry picked from commit d358425)

Co-authored-by: Nice Zombies <[email protected]>
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@nineteendo @ebonnal
pythongh-125682: Reject non-ASCII digits in the Python implementation…
2a604cf 
… of JSON decoder (pythonGH-125687)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@taleinat @serhiy-storchaka @hauntsaninja @ZeroIntensity @nineteendo