SoSick88 / gitiles

Automatically exported from code.google.com/p/gitiles
0 stars 0 forks source link

REST API JSON ouput corrupted (project listing) #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.curl -s https://gerrit.googlesource.com/?format=JSON | head

What is the expected output? 
-------------------------------------------------------------------
{
  "Public-Plugins": {
    "name": "Public-Plugins",
    "clone_url": "https://gerrit.googlesource.com/Public-Plugins",
    "description": "Parent project for plugins/*"
  },
  "Public-Projects": {
    "name": "Public-Projects",
    "clone_url": "https://gerrit.googlesource.com/Public-Projects",
-------------------------------------------------------------------

What do you see instead?
Notice the very first line:)]}'
-------------------------------------------------------------------
)]}'
{
  "Public-Plugins": {
    "name": "Public-Plugins",
    "clone_url": "https://gerrit.googlesource.com/Public-Plugins",
    "description": "Parent project for plugins/*"
  },
  "Public-Projects": {
    "name": "Public-Projects",
    "clone_url": "https://gerrit.googlesource.com/Public-Projects",
-------------------------------------------------------------------

What version of the product are you using? On what operating system?
The version of gitiles that powers https://gerrit.googlesource.com/ at the time 
of writting

Original issue reported on code.google.com by manuel.v...@gmail.com on 1 Mar 2013 at 8:11

GoogleCodeExporter commented 9 years ago
This is probably on purpose, Gerrit also includes this prefix on its JSON 
output to prevent injection in scripts.

Original comment by choro...@wikimedia.org on 18 Mar 2013 at 7:24

GoogleCodeExporter commented 9 years ago
Indeed, working as intended. Many JSON libraries support adding a special 
prefix to make the returned source non-executable in order to prevent XSSI 
attacks; see for example 
https://code.google.com/p/google-gson/issues/detail?id=42

This prefix is always constant for Gitiles, so you can strip the first 5 bytes 
of the output. Or up to the first newline, your choice.

Original comment by dborowitz@google.com on 28 Mar 2013 at 3:15