Hacker News new | past | comments | ask | show | jobs | submit login

If I'm not mistaken, this is bad: it enables a trivial DOS attack against any web service that accepts floating-point input. (For instance, one of the commenters on the OP noted that Google Spreadsheets backends are vulnerable.) This includes, as a special case, any service that accepts JSON input.

I expect a lot of teams will have to rush out a patch. I feel for them...

Incidentally, I haven't seen a simple workaround posted anywhere. Has anyone seen a regexp or code snippet that can identify strings which would trigger this bug?




Maybe I'm dense, but why does this affect apps that use JSON?


Because JSON can include floating-point numbers. If you pass { foo: 2.2250738585072012e-308 } to any JSON service, I'd expect it to invoke Double.parseDouble(...) as part of its input processing, and trip over the bug. This would probably occur before any type checking of the input, and thus would probably work even for a service which does not expect floating-point inputs.


This is not correct. Think about a service which used PHP's json_decode function. PHP has fixed this bug, so there would be no issue.

The problem has nothing to do with JSON. It only affects JSON parsers that run on a JVM.


Right -- when I said "any service that accepts JSON input", I meant "any JVM-based service that accepts JSON input". I thought the JVM qualification would be clear from the context of this thread, apologies if it wasn't.


So the exact same bug affects Javascript?


JSON just makes it quite easy to parse in a floating point number. But that doesn't have anything to do with Javascript per-se.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: