Uploaded image for project: 'Lucee Development'
  1. LDEV-1126

Lucee evaluates arithmatic CFML Expressions in JSON

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.1.1.53
    • Labels:
      None

      Description

      Lucee's JSON parsing is allowing strings that are not valid JSON.

      myVar = '12/20/2016';
      writeDump( isJson(myVar) );
      writeDump( deserializeJSON(myVar) );
      

      Adobe CF correctly returns false and thrown an error on the last line. Lucee returns true and evaluates it as a CFML expression, "deserializing" it into 0.000297619048.

      There's two issues with this:

      • That string is not valid JSON in the first place. A valid JSON string should be encased in double quotes.
      • Even Lucee tried to treat it as a number, arithmetic operators are not allow, just numbers.

        Attachments

          Activity

            People

            • Assignee:
              michaeloffner Michael Offner
              Reporter:
              bdw429s Brad Wood
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours
                3h