jsonp icon indicating copy to clipboard operation
jsonp copied to clipboard

Published 20 hours ago verified publisher icon javaee

91: Stack overflow error caused by jakarta.json parsing of untrusted JSON String

Open jbescos opened this issue 1 year ago • 4 comments

Backport of https://github.com/eclipse-ee4j/parsson/pull/92 in issue https://github.com/eclipse-ee4j/parsson/issues/91

jbescos avatar Oct 28 '24 07:10 jbescos

Thanks @jbescos, but I don't see, this project still would do any more releases.

This project is now part of the EE4J initiative. This repository has been archived as all activities are now happening in the corresponding Eclipse repository. See here for the overall EE4J transition status.

keilw avatar Oct 29 '24 11:10 keilw

Thanks @jbescos, but I don't see, this project still would do any more releases.

This project is now part of the EE4J initiative. This repository has been archived as all activities are now happening in the corresponding Eclipse repository. See here for the overall EE4J transition status.

Exceptionally, we reopen these archived projects and we make a new release. We didn't do it so far in jsonp, but I think it will be possible.

For the time being, could you please review it and approve/merge if the fix suits you?.

We need to apply this fix also in version 1.0.4, but there is no branch for it. Are you able to create a new branch from tag jsonp-1.0.4 ?. I will create a new PR to that branch.

jbescos avatar Oct 29 '24 12:10 jbescos

Technically I could, but who needs that kind of fork after all these years? Do you have a requirement/vendor that must use the old version instead of Jakarta EE 8 or higher?

keilw avatar Oct 29 '24 12:10 keilw

Technically I could, but who needs that kind of fork after all these years? Do you have a requirement/vendor that must use the old version instead of Jakarta EE 8 or higher?

This is for Weblogic 12c and 14g.

jbescos avatar Oct 29 '24 12:10 jbescos

@keilw could you merge this, please?. I want to have it here, in case in the future there is another security issue, this fix will be also included.

Note that @edbratt opened this repo for this.

jbescos avatar Nov 04 '24 07:11 jbescos

@edbratt Can you confirm this need by Weblogic? Most other spec repositories here are archived, so I want to be sure, there is a real business case for it.

I was told so especially working in the WebLogic support team some years ago ;-)

keilw avatar Nov 04 '24 09:11 keilw

Yes, this is required

edbratt avatar Nov 05 '24 15:11 edbratt

@keilw would you be able to create the branch as I said here, please?: https://github.com/javaee/jsonp/pull/87#issuecomment-2444017510

jbescos avatar Nov 06 '24 06:11 jbescos

@jbescos I'm afraid, maybe because it was archived before, or for another reason I do not have write access to this repository anymore.

This branch has no conflicts with the base branch Only those with write access to this repository can merge pull requests.

@edbratt Are you an admin, maybe you can help grant me write access again, otherwise @m0mus could help?

keilw avatar Nov 06 '24 21:11 keilw