[PATCH] (2-part) Fixed bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")

11 years ago by Andrea Faulds — view source

unread

Hello there,

This is a two-part patch. The first part patches one part of bug #64874,
which is that lone JSON primitive values (true, false, null, string,
number) cannot be deserialised with json_decode() if they have
whitespace around them, though lone complex JSON values (array, object)
can. The reason this part of the bug existed is because had somebody
added support for deserialising JSON strings which don't consist of an
array or an object, but instead of properly modifying the parser, added
a poorly-written wrapper on the outside of it. This is essentially a fix
to that wrapper. It should help bring json_decode() into actual JSON
specification compliance. It is an entirely backwards-compatible fix, so
I intend it to be added to 5.4 and 5.5:

Pull request here: https://github.com/php/php-src/pull/456

The second part is based off the first part, so includes the
backwards-compatible fix, but also fixes the second part of bug #64874,
which is that lone JSON true, false and null values are accepted in
non-lowercase forms. This is due to, again, the poorly-written wrapper,
which essentially did (strcasecmp(str, "true") == 0), despite the fact
that the JSON specification states that only lowercase forms of true,
false and null are permitted. Lowercase forms are already not permitted
by the actual parser, it is only the wrapper which is at fault. This
means that json_decode('[tRue]') is already invalid, but
json_decode('tRue') is not. This patch will make the non-lowercase form
error, as it should. This will also make it more
specification-compliant, and more consistent with itself(!) Because no
longer permitting these non-lowercase forms would break
backwards-compatibility in the unlikely case that an application relied
on malformed JSON, this fix is intended to go into PHP 5.6. In the event
that it breaks someone's code working with a malformed dataset, it
should be fairly simple to lowercase any non-lowercase true, false or
null JSON strings.

Pull request here: https://github.com/php/php-src/pull/457

Both requests contain tests and UPGRADING and NEWS notes. The first is
aimed at the PHP-5.4 branch, so it contains changes to UPGRADING and
NEWS for 5.4. It would also need those notes copied to 5.5's, were it to
be merged. The second is aimed at master, so it contains changes to
master's UPGRADING and NEWS.

Thank you for your time.

--
Andrea Faulds
http://ajf.me/