Skip to content

Python implementation of json.loads() accepts non-ascii digits #125682

New issue
New issue
Closed
Closed
Python implementation of json.loads() accepts non-ascii digits#125682
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesstdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error
@nineteendo

Description

@nineteendo
nineteendo
opened on Oct 18, 2024

Bug report

Bug description:

You should be careful when matching unicode regexes:

cpython/Lib/json/scanner.py

Lines 11 to 13 in a0f5c8e

NUMBER_RE = re.compile(
r'(-?(?:0|[1-9]\d*))(\.\d+)?([eE][-+]?\d+)?',
(re.VERBOSE | re.MULTILINE | re.DOTALL)) 

>>> import sys
>>> sys.modules["_json"] = None
>>> import json
>>> json.loads("[1\uff10, 0.\uff10, 0e\uff10]")
[10, 0.0, 0.0]

I think it's safer to use [0-9] instead of \d here.

CPython versions tested on:

3.13

Operating systems tested on:

macOS

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesstdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions