commit perl-JSON-XS for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community,
here is the log from the commit of package perl-JSON-XS for openSUSE:Factory checked in at 2016-04-28 16:52:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-JSON-XS (Old)
and /work/SRC/openSUSE:Factory/.perl-JSON-XS.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-JSON-XS"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-JSON-XS/perl-JSON-XS.changes 2013-12-06 14:43:05.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.perl-JSON-XS.new/perl-JSON-XS.changes 2016-04-28 16:53:02.000000000 +0200
@@ -1,0 +2,9 @@
+Fri Mar 11 10:17:07 UTC 2016 - coolo@suse.com
+
+- updated to 3.02
+ see /usr/share/doc/packages/perl-JSON-XS/Changes
+
+ TODO: how to cope with tagged values and standard json decoders
+ TODO: investigate magic (Eric Brine)
+
+-------------------------------------------------------------------
Old:
----
JSON-XS-3.01.tar.gz
New:
----
JSON-XS-3.02.tar.gz
cpanspec.yml
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-JSON-XS.spec ++++++
--- /var/tmp/diff_new_pack.ayiiEl/_old 2016-04-28 16:53:03.000000000 +0200
+++ /var/tmp/diff_new_pack.ayiiEl/_new 2016-04-28 16:53:03.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package perl-JSON-XS
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,20 +17,22 @@
Name: perl-JSON-XS
-Version: 3.01
+Version: 3.02
Release: 0
+#Upstream: CHECK(GPL-1.0+ or Artistic-1.0)
%define cpan_name JSON-XS
Summary: JSON serialising/deserialising, done correctly and fast
-License: GPL-1.0+ or Artistic-1.0
+License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/JSON-XS/
-Source: http://www.cpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{version}.tar.gz
+Source0: http://www.cpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{version}.tar.gz
+Source1: cpanspec.yml
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl
BuildRequires: perl-macros
+BuildRequires: perl(Canary::Stability)
BuildRequires: perl(Types::Serialiser)
BuildRequires: perl(common::sense)
-#BuildRequires: perl(JSON::XS)
Requires: perl(Types::Serialiser)
Requires: perl(common::sense)
%{perl_requires}
@@ -59,7 +61,7 @@
%prep
%setup -q -n %{cpan_name}-%{version}
-find . -type f -print0 | xargs -0 chmod 644
+find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
++++++ JSON-XS-3.01.tar.gz -> JSON-XS-3.02.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/Changes new/JSON-XS-3.02/Changes
--- old/JSON-XS-3.01/Changes 2013-10-29 16:55:22.000000000 +0100
+++ new/JSON-XS-3.02/Changes 2016-02-26 22:46:02.000000000 +0100
@@ -3,6 +3,20 @@
TODO: maybe detetc and croak on more invalid inputs (e.g. +-inf/nan)
TODO: maybe avoid the reblessing and better support readonly objects.
TODO: http://stevehanov.ca/blog/index.php?id=104 compression
+TODO: how to cope with tagged values and standard json decoders
+TODO: investigate magic (Eric Brine)
+
+3.02 Fri Feb 26 22:45:20 CET 2016
+ - allow_nonref now affects booleans (\1, $Types::Serialiser::Boolean)
+ as well (reported by Alex Efros).
+ - allow literal tabs in strings in relaxed mode (patch by
+ lubo.rintel@gooddata.com).
+ - support "cbor" format in json_xs tool.
+ - support (and fix) calling encode and decode in list context
+ (reported by Вадим Власов).
+ - work around a bug in older perls crashing when presented
+ with shared hash keys (Reini Urban).
+ - use stability canary.
3.01 Tue Oct 29 16:55:15 CET 2013
- backport to perls < 5.18 (reported by Paul Howarth).
@@ -11,7 +25,7 @@
- implemented an object tagging extension (using the
Types::Serialiser serialisation protocol).
- reworked the documentation regarding object serialisation,
- add a new OBJECT SERIALISATION section that explains the
+ add a new OBJECT SERIALISATION section that explains th
whole process.
- new setting: allow_tags.
- switch to Types::Serialiser booleans.
@@ -142,7 +156,7 @@
- lifted the log2 rounding restriction of max_depth and max_size.
- make booleans mutable by creating a copy instead of handing out
the same scalar (reported by pasha sadri).
- - added support for incremental json parsing (still EXPERIMENTAL).
+ - added support for incremental json parsing (still EXPERIMENTAL).
- implemented and added a json_xs command line utility that can convert
from/to a number of serialisation formats - tell me if you need more.
- implement allow_unknown/get_allow_unknown methods.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/META.json new/JSON-XS-3.02/META.json
--- old/JSON-XS-3.01/META.json 2013-10-29 16:55:40.000000000 +0100
+++ new/JSON-XS-3.02/META.json 2016-02-26 22:46:28.000000000 +0100
@@ -4,7 +4,7 @@
"unknown"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 6.8, CPAN::Meta::Converter version 2.120921",
+ "generated_by" : "ExtUtils::MakeMaker version 7.1, CPAN::Meta::Converter version 2.150001",
"license" : [
"unknown"
],
@@ -27,7 +27,8 @@
},
"configure" : {
"requires" : {
- "ExtUtils::MakeMaker" : "0"
+ "Canary::Stability" : "0",
+ "ExtUtils::MakeMaker" : "6.52"
}
},
"runtime" : {
@@ -38,5 +39,5 @@
}
},
"release_status" : "stable",
- "version" : "3.01"
+ "version" : 3.02
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/META.yml new/JSON-XS-3.02/META.yml
--- old/JSON-XS-3.01/META.yml 2013-10-29 16:55:40.000000000 +0100
+++ new/JSON-XS-3.02/META.yml 2016-02-26 22:46:28.000000000 +0100
@@ -3,21 +3,22 @@
author:
- unknown
build_requires:
- ExtUtils::MakeMaker: 0
+ ExtUtils::MakeMaker: '0'
configure_requires:
- ExtUtils::MakeMaker: 0
+ Canary::Stability: '0'
+ ExtUtils::MakeMaker: '6.52'
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 6.8, CPAN::Meta::Converter version 2.120921'
+generated_by: 'ExtUtils::MakeMaker version 7.1, CPAN::Meta::Converter version 2.150001'
license: unknown
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: 1.4
+ version: '1.4'
name: JSON-XS
no_index:
directory:
- t
- inc
requires:
- Types::Serialiser: 0
- common::sense: 0
-version: 3.01
+ Types::Serialiser: '0'
+ common::sense: '0'
+version: 3.02
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/Makefile.PL new/JSON-XS-3.02/Makefile.PL
--- old/JSON-XS-3.01/Makefile.PL 2013-10-28 22:28:41.000000000 +0100
+++ new/JSON-XS-3.02/Makefile.PL 2016-02-26 22:44:29.000000000 +0100
@@ -1,6 +1,8 @@
-use 5.008002;
+use 5.008003;
use ExtUtils::MakeMaker;
+use Canary::Stability JSON::XS => 1, 5.008003;
+
WriteMakefile(
dist => {
PREOP => 'pod2text XS.pm | tee README >$(DISTVNAME)/README; chmod -R u=rwX,go=rX . ;',
@@ -14,5 +16,6 @@
common::sense => 0,
Types::Serialiser => 0,
},
+ CONFIGURE_REQUIRES => { ExtUtils::MakeMaker => 6.52, Canary::Stability => 0 },
);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/README new/JSON-XS-3.02/README
--- old/JSON-XS-3.01/README 2013-10-29 16:55:40.000000000 +0100
+++ new/JSON-XS-3.02/README 2016-02-26 22:46:28.000000000 +0100
@@ -354,6 +354,16 @@
# neither this one...
]
+ * literal ASCII TAB characters in strings
+
+ Literal ASCII TAB characters are now allowed in strings (and
+ treated as "\t").
+
+ [
+ "Hello\tWorld",
+ "Hello<TAB>World", # literal <TAB> would not normally be allowed
+ ]
+
$json = $json->canonical ([$enable])
$enabled = $json->get_canonical
If $enable is true (or missing), then the "encode" method will
@@ -624,7 +634,7 @@
protocol and you need to know where the JSON text ends.
JSON::XS->new->decode_prefix ("[1] the tail")
- => ([], 3)
+ => ([1], 3)
INCREMENTAL PARSING
In some cases, there is the need for incremental parsing of JSON texts.
@@ -1431,12 +1441,126 @@
deal with it, as major browser developers care only for features, not
about getting security right).
+"OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)
+ TL;DR: Due to security concerns, JSON::XS will not allow scalar data in
+ JSON texts by default - you need to create your own JSON::XS object and
+ enable "allow_nonref":
+
+ my $json = JSON::XS->new->allow_nonref;
+
+ $text = $json->encode ($data);
+ $data = $json->decode ($text);
+
+ The long version: JSON being an important and supposedly stable format,
+ the IETF standardised it as RFC 4627 in 2006. Unfortunately, the
+ inventor of JSON, Dougles Crockford, unilaterally changed the definition
+ of JSON in javascript. Rather than create a fork, the IETF decided to
+ standardise the new syntax (apparently, so Iw as told, without finding
+ it very amusing).
+
+ The biggest difference between thed original JSON and the new JSON is
+ that the new JSON supports scalars (anything other than arrays and
+ objects) at the toplevel of a JSON text. While this is strictly
+ backwards compatible to older versions, it breaks a number of protocols
+ that relied on sending JSON back-to-back, and is a minor security
+ concern.
+
+ For example, imagine you have two banks communicating, and on one side,
+ trhe JSON coder gets upgraded. Two messages, such as 10 and 1000 might
+ then be confused to mean 101000, something that couldn't happen in the
+ original JSON, because niether of these messages would be valid JSON.
+
+ If one side accepts these messages, then an upgrade in the coder on
+ either side could result in this becoming exploitable.
+
+ This module has always allowed these messages as an optional extension,
+ by default disabled. The security concerns are the reason why the
+ default is still disabled, but future versions might/will likely upgrade
+ to the newer RFC as default format, so you are advised to check your
+ implementation and/or override the default with "->allow_nonref (0)" to
+ ensure that future versions are safe.
+
INTEROPERABILITY WITH OTHER MODULES
"JSON::XS" uses the Types::Serialiser module to provide boolean
constants. That means that the JSON true and false values will be
comaptible to true and false values of iother modules that do the same,
such as JSON::PP and CBOR::XS.
+INTEROPERABILITY WITH OTHER JSON DECODERS
+ As long as you only serialise data that can be directly expressed in
+ JSON, "JSON::XS" is incapable of generating invalid JSON output (modulo
+ bugs, but "JSON::XS" has found more bugs in the official JSON testsuite
+ (1) than the official JSON testsuite has found in "JSON::XS" (0)).
+
+ When you have trouble decoding JSON generated by this module using other
+ decoders, then it is very likely that you have an encoding mismatch or
+ the other decoder is broken.
+
+ When decoding, "JSON::XS" is strict by default and will likely catch all
+ errors. There are currently two settings that change this: "relaxed"
+ makes "JSON::XS" accept (but not generate) some non-standard extensions,
+ and "allow_tags" will allow you to encode and decode Perl objects, at
+ the cost of not outputting valid JSON anymore.
+
+ TAGGED VALUE SYNTAX AND STANDARD JSON EN/DECODERS
+ When you use "allow_tags" to use the extended (and also nonstandard and
+ invalid) JSON syntax for serialised objects, and you still want to
+ decode the generated When you want to serialise objects, you can run a
+ regex to replace the tagged syntax by standard JSON arrays (it only
+ works for "normal" packagesnames without comma, newlines or single
+ colons). First, the readable Perl version:
+
+ # if your FREEZE methods return no values, you need this replace first:
+ $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[\s*\]/[$1]/gx;
+
+ # this works for non-empty constructor arg lists:
+ $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[/[$1,/gx;
+
+ And here is a less readable version that is easy to adapt to other
+ languages:
+
+ $json =~ s/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/[$1,/g;
+
+ Here is an ECMAScript version (same regex):
+
+ json = json.replace (/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/g, "[$1,");
+
+ Since this syntax converts to standard JSON arrays, it might be hard to
+ distinguish serialised objects from normal arrays. You can prepend a
+ "magic number" as first array element to reduce chances of a collision:
+
+ $json =~ s/\(\s*("([^\\":,]+|\\.|::)*")\s*\)\s*\[/["XU1peReLzT4ggEllLanBYq4G9VzliwKF",$1,/g;
+
+ And after decoding the JSON text, you could walk the data structure
+ looking for arrays with a first element of
+ "XU1peReLzT4ggEllLanBYq4G9VzliwKF".
+
+ The same approach can be used to create the tagged format with another
+ encoder. First, you create an array with the magic string as first
+ member, the classname as second, and constructor arguments last, encode
+ it as part of your JSON structure, and then:
+
+ $json =~ s/\[\s*"XU1peReLzT4ggEllLanBYq4G9VzliwKF"\s*,\s*("([^\\":,]+|\\.|::)*")\s*,/($1)[/g;
+
+ Again, this has some limitations - the magic string must not be encoded
+ with character escapes, and the constructor arguments must be non-empty.
+
+RFC7159
+ Since this module was written, Google has written a new JSON RFC, RFC
+ 7159 (and RFC7158). Unfortunately, this RFC breaks compatibility with
+ both the original JSON specification on www.json.org and RFC4627.
+
+ As far as I can see, you can get partial compatibility when parsing by
+ using "->allow_nonref". However, consider thew security implications of
+ doing so.
+
+ I haven't decided yet when to break compatibility with RFC4627 by
+ default (and potentially leave applications insecure) and change the
+ default to follow RFC7159, but application authors are well advised to
+ call "->allow_nonref(0)" even if this is the current default, if they
+ cannot handle non-reference values, in preparation for the day when the4
+ default will change.
+
THREADS
This module is *not* guaranteed to be thread safe and there are no plans
to change this until Perl gets thread support (as opposed to the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.01/XS.pm new/JSON-XS-3.02/XS.pm
--- old/JSON-XS-3.01/XS.pm 2013-10-29 16:55:34.000000000 +0100
+++ new/JSON-XS-3.02/XS.pm 2016-02-26 22:46:21.000000000 +0100
@@ -103,7 +103,7 @@
use common::sense;
-our $VERSION = 3.01;
+our $VERSION = 3.02;
our @ISA = qw(Exporter);
our @EXPORT = qw(encode_json decode_json);
@@ -406,6 +406,16 @@
# neither this one...
]
+=item * literal ASCII TAB characters in strings
+
+Literal ASCII TAB characters are now allowed in strings (and treated as
+C<\t>).
+
+ [
+ "Hello\tWorld",
+ "Hello<TAB>World", # literal <TAB> would not normally be allowed
+ ]
+
=back
=item $json = $json->canonical ([$enable])
@@ -689,7 +699,7 @@
and you need to know where the JSON text ends.
JSON::XS->new->decode_prefix ("[1] the tail")
- => ([], 3)
+ => ([1], 3)
=back
@@ -1555,6 +1565,47 @@
security right).
+=head1 "OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159)
+
+TL;DR: Due to security concerns, JSON::XS will not allow scalar data in
+JSON texts by default - you need to create your own JSON::XS object and
+enable C
participants (1)
-
root@hilbert.suse.de