gh-125660: Reject invalid unicode escapes for Python implementation of JSON decoder (GH-125683)

This commit is contained in:
Nice Zombies 2024-10-18 14:29:47 +02:00 committed by GitHub
parent d358425e69
commit df751363e3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 4 deletions

View File

@ -50,17 +50,18 @@ _CONSTANTS = {
} }
HEXDIGITS = re.compile(r'[0-9A-Fa-f]{4}', FLAGS)
STRINGCHUNK = re.compile(r'(.*?)(["\\\x00-\x1f])', FLAGS) STRINGCHUNK = re.compile(r'(.*?)(["\\\x00-\x1f])', FLAGS)
BACKSLASH = { BACKSLASH = {
'"': '"', '\\': '\\', '/': '/', '"': '"', '\\': '\\', '/': '/',
'b': '\b', 'f': '\f', 'n': '\n', 'r': '\r', 't': '\t', 'b': '\b', 'f': '\f', 'n': '\n', 'r': '\r', 't': '\t',
} }
def _decode_uXXXX(s, pos): def _decode_uXXXX(s, pos, _m=HEXDIGITS.match):
esc = s[pos + 1:pos + 5] esc = _m(s, pos + 1)
if len(esc) == 4 and esc[1] not in 'xX': if esc is not None:
try: try:
return int(esc, 16) return int(esc.group(), 16)
except ValueError: except ValueError:
pass pass
msg = "Invalid \\uXXXX escape" msg = "Invalid \\uXXXX escape"

View File

@ -116,6 +116,11 @@ class TestScanstring:
'"\\u012z"', '"\\u012z"',
'"\\u0x12"', '"\\u0x12"',
'"\\u0X12"', '"\\u0X12"',
'"\\u{0}"'.format("\uff10" * 4),
'"\\u 123"',
'"\\u-123"',
'"\\u+123"',
'"\\u1_23"',
'"\\ud834\\"', '"\\ud834\\"',
'"\\ud834\\u"', '"\\ud834\\u"',
'"\\ud834\\ud"', '"\\ud834\\ud"',
@ -127,6 +132,11 @@ class TestScanstring:
'"\\ud834\\udd2z"', '"\\ud834\\udd2z"',
'"\\ud834\\u0x20"', '"\\ud834\\u0x20"',
'"\\ud834\\u0X20"', '"\\ud834\\u0X20"',
'"\\ud834\\u{0}"'.format("\uff10" * 4),
'"\\ud834\\u 123"',
'"\\ud834\\u-123"',
'"\\ud834\\u+123"',
'"\\ud834\\u1_23"',
] ]
for s in bad_escapes: for s in bad_escapes:
with self.assertRaises(self.JSONDecodeError, msg=s): with self.assertRaises(self.JSONDecodeError, msg=s):

View File

@ -0,0 +1 @@
Reject invalid unicode escapes for Python implementation of :func:`json.loads`.