19 Úno
2015
19 Úno
'15
20:44
Hello.
On 19.2.2015 19:13, Matthias-Christian Ott wrote:
In that case, you are right. :-)
We use JSON only to store metadata. So it's not that security-critical
usage. But right, your concerns are quite legitimate. On the other hand,
Jansson seems to be very popular, has active development, and I'm
definitely their happy user. So we should be OK. ;-)
I agree that
JSON is not very simple, but it is definitelly secure and
deterministically parsable:
Just to clarify: With the term deterministically parasable I meant to it
requires a bounded amount of memory and can be parsed with a
deterministic finite automaton (hence the name). It seems there is also JSON library that would meat
that I didn't know
about but meets that requirement: jsmn [1].
jsmn looks really great. I didn't know it. I decided to use Jansson, as
it has really clean and intuitive API and a very good documentation.
Also, for our purpose, working with JSON as with objects is much easier
than parsing the input by tokens.
If you have
any strong opinions against JSON, we can still discuss it.
Not in particular, I just found it a bit unusual to use JSON in a
security-relevant context. If JSON meets your requirements, the library
is well tested and other users are happy to easily use it with other
software, I have nothing to object. Alternatives would have been the file system (like
qmail), line and
colon delimited files text files (netstrings, CSV etc.), fixed length
binary formats or variable length binrary formats (Protocol Buffers,
ASN.1, XDR etc.). All of which have their own advantages and disadvantages.
I can just agree.
Cheers,
Jan