Giant strings can be used to DoS parsing

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create a small json file with one name field really big (let's say 3 Mb)
2. Parse that String

What is the expected output? What do you see instead?
Although the json object is really small one, the fact of having that
really big name field makes the parsing really slow.

What version of the product are you using? On what operating system?
I have tested that with 1.3 and 1.4.  Ubuntu 9.10

Please provide any additional information below.
Although it seems not so important because no one should create a json
object like that , this is an important issue when trying to avoid DoS attacks.

Original issue reported on code.google.com by Enrique....@gmail.com on 26 May 2010 at 6:02

[GoogleCodeExporter]

We're susceptible to denial-of-service attacks on massive strings. I don't 
think we can really work around this, since there can be many situations where 
malicious input data will overwhelm a system. For example, an unterminated 
stream. Or very high magnitude numbers.

If you absolutely need to accept JSON from an untrusted source, sanitize it in 
a separate Java process. Give that process a fixed small memory ceiling, and 
run the parse with a short timeout.

Original comment by limpbizkit on 27 Aug 2010 at 7:38

• Changed title: Giant strings can be used to DoS parsing
• Changed state: Invalid
• Added labels: Priority-Low
• Removed labels: Priority-Medium