Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69579
Return-Path: <ajf@ajf.me>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53639 invoked from network); 16 Oct 2013 12:21:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Oct 2013 12:21:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ajf.me designates 192.64.116.196 as permitted sender)
X-PHP-List-Original-Sender: ajf@ajf.me
X-Host-Fingerprint: 192.64.116.196 imap4.ox.registrar-servers.com  
Received: from [192.64.116.196] ([192.64.116.196:36846] helo=imap4.ox.registrar-servers.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/15-31591-7B48E525 for <internals@lists.php.net>; Wed, 16 Oct 2013 08:21:12 -0400
Received: from localhost (localhost [127.0.0.1])
	by oxmail.registrar-servers.com (Postfix) with ESMTP id 40AD8560075
	for <internals@lists.php.net>; Wed, 16 Oct 2013 08:21:09 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at imap4.ox.registrar-servers.com
Received: from oxmail.registrar-servers.com ([127.0.0.1])
	by localhost (imap4.ox.registrar-servers.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id tnjkYG5Mw-7v for <internals@lists.php.net>;
	Wed, 16 Oct 2013 08:21:09 -0400 (EDT)
Received: from [192.168.0.200] (unknown [94.3.245.95])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by oxmail.registrar-servers.com (Postfix) with ESMTPSA id D7B6D560064
	for <internals@lists.php.net>; Wed, 16 Oct 2013 08:21:08 -0400 (EDT)
Message-ID: <525E84AF.8030805@ajf.me>
Date: Wed, 16 Oct 2013 13:21:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [PATCH] (2-part) Fixed bug #64874 ("json_decode handles whitespace
 and case-sensitivity incorrectly")
From: ajf@ajf.me (Andrea Faulds)

Hello there,

This is a two-part patch. The first part patches one part of bug #64874, 
which is that lone JSON primitive values (true, false, null, string, 
number) cannot be deserialised with json_decode() if they have 
whitespace around them, though lone complex JSON values (array, object) 
can. The reason this part of the bug existed is because had somebody 
added support for deserialising JSON strings which don't consist of an 
array or an object, but instead of properly modifying the parser, added 
a poorly-written wrapper on the outside of it. This is essentially a fix 
to that wrapper. It should help bring json_decode() into actual JSON 
specification compliance. It is an entirely backwards-compatible fix, so 
I intend it to be added to 5.4 and 5.5:

Pull request here: https://github.com/php/php-src/pull/456

The second part is based off the first part, so includes the 
backwards-compatible fix, but also fixes the second part of bug #64874, 
which is that lone JSON true, false and null values are accepted in 
non-lowercase forms. This is due to, again, the poorly-written wrapper, 
which essentially did (strcasecmp(str, "true") == 0), despite the fact 
that the JSON specification states that only lowercase forms of true, 
false and null are permitted. Lowercase forms are already not permitted 
by the actual parser, it is only the wrapper which is at fault. This 
means that json_decode('[tRue]') is already invalid, but 
json_decode('tRue') is not. This patch will make the non-lowercase form 
error, as it should. This will also make it more 
specification-compliant, and more consistent with itself(!) Because no 
longer permitting these non-lowercase forms would break 
backwards-compatibility in the unlikely case that an application relied 
on malformed JSON, this fix is intended to go into PHP 5.6. In the event 
that it breaks someone's code working with a malformed dataset, it 
should be fairly simple to lowercase any non-lowercase true, false or 
null JSON strings.

Pull request here: https://github.com/php/php-src/pull/457

Both requests contain tests and UPGRADING and NEWS notes. The first is 
aimed at the PHP-5.4 branch, so it contains changes to UPGRADING and 
NEWS for 5.4. It would also need those notes copied to 5.5's, were it to 
be merged. The second is aimed at master, so it contains changes to 
master's UPGRADING and NEWS.

Thank you for your time.

-- 
Andrea Faulds
http://ajf.me/