cbor
cbor copied to clipboard
fxamacker
Bug: decoding CBOR byte string into `time.Time` is allowed if decoding option `DefaultByteStringType` is set to `reflect.TypeOf("")`
DefaultByteStringType is a new decoding option that was recently added in v2.6.0.
Setting decoding option DefaultByteStringType to reflect.TypeOf("") causes unintended side effect of allowing CBOR byte string to be decoded into time.Time. Although decoding CBOR byte string into time.Time is a requested feature, it should not be allowed by a side effect.
Specifically, parse() decodes CBOR byte string into Go string if decoding option DefaultByteStringType is set to reflect.TypeOf("").
parseToTime() converts decoded Go value from parse() to time.Time, so CBOR byte string is decoded to Go string, which is then converted to time.Time.
This side effect is from implementation details and is not intended. DefaultByteStringType should be limited to its documented use.
// DefaultByteStringType is the Go type that should be produced when decoding a CBOR byte
// string into an empty interface value. Types to which a []byte is convertible are valid
// for this option, except for array and pointer-to-array types. If nil, the default is
// []byte.
Thanks @benluddy for initial discussion about this at #497. :+1:
@fxamacker If you haven't already started on this one, I'm happy to pick it up. Just let me know!
@fxamacker If you haven't already started on this one, I'm happy to pick it up. Just let me know!
@benluddy Thanks! That would be great! :+1: Now I'm glad I updated the fuzzer on Sunday rather than work on this. :smile: