[ViewVC] Diff of: cvs/JSON-XS/XS.pm

Comparing JSON-XS/XS.pm (file contents):
Revision 1.147 by root, Tue Oct 29 00:19:08 2013 UTC vs.
Revision 1.161 by root, Wed Nov 16 19:21:53 2016 UTC

 package JSON::XS;
 use common::sense;
-our $VERSION = '3.0';
+our $VERSION = 3.03;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(encode_json decode_json);
 use Exporter;
   [
      1, # this comment not allowed in JSON
         # neither this one...
   ]
+=item * literal ASCII TAB characters in strings
+Literal ASCII TAB characters are now allowed in strings (and treated as
+C<\t>).
+  [
+     "Hello\tWorld",
+     "Hello<TAB>World", # literal <TAB> would not normally be allowed
+  ]
 =back
 =item $json = $json->canonical ([$enable])
 =item $enabled = $json->get_canonical
 =item $json = $json->convert_blessed ([$enable])
 =item $enabled = $json->get_convert_blessed
-See "OBJECT SERIALISATION" for details.
+See L<OBJECT SERIALISATION> for details.
 If C<$enable> is true (or missing), then C<encode>, upon encountering a
 blessed object, will check for the availability of the C<TO_JSON> method
 on the object's class. If found, it will be called in scalar context and
 the resulting scalar will be encoded instead of the object.
 =item $json = $json->allow_tags ([$enable])
 =item $enabled = $json->allow_tags
-See "OBJECT SERIALISATION" for details.
+See L<OBJECT SERIALISATION> for details.
 If C<$enable> is true (or missing), then C<encode>, upon encountering a
 blessed object, will check for the availability of the C<FREEZE> method on
 the object's class. If found, it will be used to serialise the object into
 a nonstandard tagged JSON value (that JSON decoders cannot decode).
 This is useful if your JSON texts are not delimited by an outer protocol
 and you need to know where the JSON text ends.
    JSON::XS->new->decode_prefix ("[1] the tail")
-   => ([], 3)
+   => ([1], 3)
 =back
 =head1 INCREMENTAL PARSING
 C<incr_skip> to skip the erroneous part). This is the most common way of
 using the method.
 And finally, in list context, it will try to extract as many objects
 from the stream as it can find and return them, or the empty list
-otherwise. For this to work, there must be no separators between the JSON
+otherwise. For this to work, there must be no separators (other than
-objects or arrays, instead they must be concatenated back-to-back. If
+whitespace) between the JSON objects or arrays, instead they must be
-an error occurs, an exception will be raised as in the scalar context
+concatenated back-to-back. If an error occurs, an exception will be
-case. Note that in this case, any previously-parsed JSON texts will be
+raised as in the scalar context case. Note that in this case, any
-lost.
+previously-parsed JSON texts will be lost.
 Example: Parse some JSON arrays/objects in a given string and return
 them.
    my @objs = JSON::XS->new->incr_parse ("[5][7][1,2]");
 C<incr_parse> in I<scalar context> successfully returned an object. Under
 all other circumstances you must not call this function (I mean it.
 although in simple tests it might actually work, it I<will> fail under
 real world conditions). As a special exception, you can also call this
 method before having parsed anything.
+That means you can only use this function to look at or manipulate text
+before or after complete JSON objects, not while the parser is in the
+middle of parsing a JSON object.
 This function is useful in two cases: a) finding the trailing text after a
 JSON object or b) parsing multiple JSON objects separated by non-JSON text
 (such as commas).
 Another nonstandard extension to the JSON syntax, enabled with the
 C<allow_tags> setting, are tagged values. In this implementation, the
 I<tag> must be a perl package/class name encoded as a JSON string, and the
 I<value> must be a JSON array encoding optional constructor arguments.
-See "OBJECT SERIALISATION", below, for details.
+See L<OBJECT SERIALISATION>, below, for details.
 =back
 =head2 PERL -> JSON
 directly if you want.
 =item blessed objects
 Blessed objects are not directly representable in JSON, but C<JSON::XS>
-allows various ways of handling objects. See "OBJECT SERIALISATION",
+allows various ways of handling objects. See L<OBJECT SERIALISATION>,
 below, for details.
 =item simple scalars
 Simple Perl scalars (any scalar that is not a reference) are the most
 C<allow_blessed>, C<convert_blessed> and C<allow_tags> settings, which are
 used in this order:
 =over 4
-=item 1. C<allow_tags> is enabled and object has a C<FREEZE> method.
+=item 1. C<allow_tags> is enabled and the object has a C<FREEZE> method.
 In this case, C<JSON::XS> uses the L<Types::Serialiser> object
 serialisation protocol to create a tagged JSON value, using a nonstandard
 extension to the JSON syntax.
 more). These values and the paclkage/classname of the object will then be
 encoded as a tagged JSON value in the following format:
    ("classname")[FREEZE return values...]
+e.g.:
+   ("URI")["http://www.google.com/"]
+   ("MyDate")[2013,10,29]
+   ("ImageData::JPEG")["Z3...VlCg=="]
 For example, the hypothetical C<My::Object> C<FREEZE> method might use the
 objects C<type> and C<id> members to encode the object:
    sub My::Object::FREEZE {
       my ($self, $serialiser) = @_;
       ($self->{type}, $self->{id})
    }
-=item 2. C<convert_blessed> is enabled and object has a C<TO_JSON> method.
+=item 2. C<convert_blessed> is enabled and the object has a C<TO_JSON> method.
 In this case, the C<TO_JSON> method of the object is invoked in scalar
 context. It must return a single scalar that can be directly encoded into
 JSON. This scalar replaces the object in the JSON text.
 are browser design bugs, but it is still you who will have to deal with
 it, as major browser developers care only for features, not about getting
 security right).
+=head1 "OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)
+TL;DR: Due to security concerns, JSON::XS will not allow scalar data in
+JSON texts by default - you need to create your own JSON::XS object and
+enable C<allow_nonref>:
+   my $json = JSON::XS->new->allow_nonref;
+   $text = $json->encode ($data);
+   $data = $json->decode ($text);
+The long version: JSON being an important and supposedly stable format,
+the IETF standardised it as RFC 4627 in 2006. Unfortunately, the inventor
+of JSON, Dougles Crockford, unilaterally changed the definition of JSON in
+javascript. Rather than create a fork, the IETF decided to standardise the
+new syntax (apparently, so Iw as told, without finding it very amusing).
+The biggest difference between thed original JSON and the new JSON is that
+the new JSON supports scalars (anything other than arrays and objects) at
+the toplevel of a JSON text. While this is strictly backwards compatible
+to older versions, it breaks a number of protocols that relied on sending
+JSON back-to-back, and is a minor security concern.
+For example, imagine you have two banks communicating, and on one side,
+trhe JSON coder gets upgraded. Two messages, such as C<10> and C<1000>
+might then be confused to mean C<101000>, something that couldn't happen
+in the original JSON, because niether of these messages would be valid
+JSON.
+If one side accepts these messages, then an upgrade in the coder on either
+side could result in this becoming exploitable.
+This module has always allowed these messages as an optional extension, by
+default disabled. The security concerns are the reason why the default is
+still disabled, but future versions might/will likely upgrade to the newer
+RFC as default format, so you are advised to check your implementation
+and/or override the default with C<< ->allow_nonref (0) >> to ensure that
+future versions are safe.
 =head1 INTEROPERABILITY WITH OTHER MODULES
 C<JSON::XS> uses the L<Types::Serialiser> module to provide boolean
 constants. That means that the JSON true and false values will be
-comaptible to true and false values of iother modules that do the same,
+comaptible to true and false values of other modules that do the same,
 such as L<JSON::PP> and L<CBOR::XS>.
+=head1 INTEROPERABILITY WITH OTHER JSON DECODERS
+As long as you only serialise data that can be directly expressed in JSON,
+C<JSON::XS> is incapable of generating invalid JSON output (modulo bugs,
+but C<JSON::XS> has found more bugs in the official JSON testsuite (1)
+than the official JSON testsuite has found in C<JSON::XS> (0)).
+When you have trouble decoding JSON generated by this module using other
+decoders, then it is very likely that you have an encoding mismatch or the
+other decoder is broken.
+When decoding, C<JSON::XS> is strict by default and will likely catch all
+errors. There are currently two settings that change this: C<relaxed>
+makes C<JSON::XS> accept (but not generate) some non-standard extensions,
+and C<allow_tags> will allow you to encode and decode Perl objects, at the
+cost of not outputting valid JSON anymore.
+=head2 TAGGED VALUE SYNTAX AND STANDARD JSON EN/DECODERS
+When you use C<allow_tags> to use the extended (and also nonstandard and
+invalid) JSON syntax for serialised objects, and you still want to decode
+the generated When you want to serialise objects, you can run a regex
+to replace the tagged syntax by standard JSON arrays (it only works for
+"normal" package names without comma, newlines or single colons). First,
+the readable Perl version:
+   # if your FREEZE methods return no values, you need this replace first:
+   $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[\s*\]/[$1]/gx;
+   # this works for non-empty constructor arg lists:
+   $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[/[$1,/gx;
+And here is a less readable version that is easy to adapt to other
+languages:
+   $json =~ s/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/[$1,/g;
+Here is an ECMAScript version (same regex):
+   json = json.replace (/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/g, "[$1,");
+Since this syntax converts to standard JSON arrays, it might be hard to
+distinguish serialised objects from normal arrays. You can prepend a
+"magic number" as first array element to reduce chances of a collision:
+   $json =~ s/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/["XU1peReLzT4ggEllLanBYq4G9VzliwKF",$1,/g;
+And after decoding the JSON text, you could walk the data
+structure looking for arrays with a first element of
+C<XU1peReLzT4ggEllLanBYq4G9VzliwKF>.
+The same approach can be used to create the tagged format with another
+encoder. First, you create an array with the magic string as first member,
+the classname as second, and constructor arguments last, encode it as part
+of your JSON structure, and then:
+   $json =~ s/\[\s*"XU1peReLzT4ggEllLanBYq4G9VzliwKF"\s*,\s*("([^\\":,]+|\\.|::)*")\s*,/($1)[/g;
+Again, this has some limitations - the magic string must not be encoded
+with character escapes, and the constructor arguments must be non-empty.
+=head1 RFC7159
+Since this module was written, Google has written a new JSON RFC, RFC 7159
+(and RFC7158). Unfortunately, this RFC breaks compatibility with both the
+original JSON specification on www.json.org and RFC4627.
+As far as I can see, you can get partial compatibility when parsing by
+using C<< ->allow_nonref >>. However, consider the security implications
+of doing so.
+I haven't decided yet when to break compatibility with RFC4627 by default
+(and potentially leave applications insecure) and change the default to
+follow RFC7159, but application authors are well advised to call C<<
+->allow_nonref(0) >> even if this is the current default, if they cannot
+handle non-reference values, in preparation for the day when the default
+will change.
 =head1 THREADS
 This module is I<not> guaranteed to be thread safe and there are no

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing JSON-XS/XS.pm (file contents): Revision 1.147 by root, Tue Oct 29 00:19:08 2013 UTC vs. Revision 1.161 by root, Wed Nov 16 19:21:53 2016 UTC

Diff Legend

Comparing JSON-XS/XS.pm (file contents):
Revision 1.147 by root, Tue Oct 29 00:19:08 2013 UTC vs.
Revision 1.161 by root, Wed Nov 16 19:21:53 2016 UTC