-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ciborium-ll): fail decoding invalid two-byte encodings of simple values #140
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Please reword the commit to use the |
… values Signed-off-by: Emanuel Pilz <[email protected]>
c1b31a6
to
6792475
Compare
Whoops, forgot about that. Force pushed. |
@emonadeo @rjzak I don't think this patch was ready to merge. There are clearly unresolved questions in the comments in the patch. I'm also not understanding why this patch is necessary. The spec says that an encoder must not produce those bytes. But, if I understand this patch correctly, it stops the decoder from decoding these bytes. Is that correct? |
I forgot about that comment I created. But I am a bit surprised this got merged without addressing the RFC about the encoding illegal Simple headers.
Yes, that is correct. Ciborium can decode cbor that was produced by different means. The unittests could alternatively be removed, but I think they are correct. |
@emonadeo There is a long standing practice in codecs to be strict during encoding and liberal during decoding (so long as it doesn't create a security risk). This crate follows that methodology. This patch implements a requirement that goes above and beyond what the standard requires and goes against the methodology of this crate to be liberal during decoding. The other problem is that But I want to be very clear that if there is justification to break that structure, I'm happy to be convinced. |
@rjzak Let's rollback since I don't yet see justification for this approach. |
There isn't besides unittest happy.
This PR definitely doesn't align with that. Reconsidering how the spec is worded it's probably intended. +1 on rolling back. Much appreciate the feedback. |
What's the best approach? I was thinking of a rebase and drop this commit and force push. Is there a better way? |
Done. |
Unblocks #137.
In context of simple values, the spec states:
While ciborium adheres to this, ciborium-ll does not.
This PR adds a check that catches it in ciborium-ll.
RFC: Fail encoding
Simple(24)
..Simple(30)
andSimple(31)
?This PR only adds a check when decoding a.k.a. calling
decoder.pull()
.However vice-versa encoding
Simple(24)
..Simple(30)
should not be possible.Simple(24)
is irrepresentableSimple(25)
..Simple(27)
are floatsSimple(28)
..Simple(30)
are reserved and not considered well-formedIt's also worth noting that
Simple(31)
andBreak
are equivalent. Should both be allowed or shouldSimple(31)
error in favor ofBreak
?Footnotes
https://www.rfc-editor.org/rfc/rfc8949.html#section-3.3-5 ↩