search

ugorji / go

idiomatic codec and rpc lib for msgpack, cbor, json, etc. msgpack.org[Go]
MIT License
1.85k stars 295 forks source link

Decoder accepts indefinite-length CBOR strings containing chunks with mismatched major types #403

Closed benluddy closed 10 months ago

benluddy commented 11 months ago

From https://www.rfc-editor.org/rfc/rfc8949.html#section-3.2.3:

If any item between the indefinite-length string indicator (0b010_11111 or 0b011_11111) and the "break" stop code is not a definite-length string item of the same major type, the string is not well-formed.

But the decoder will currently concatenate nested chunks with different major types without error.

I have a test case here to demonstrate the inputs that I expected would fail: https://github.com/benluddy/ugorji-go/commit/3ef954dd057a0c4b314d5ef9cd5c497618ae23fa. Running it, I see:

--- FAIL: TestCborIndefiniteLengthStringChunksCannotMixTypes (0.00s)
    cbor_test.go:109: expected error but decoded 0x7f40ff to: ""
    cbor_test.go:109: expected error but decoded 0x5f60ff to: ""
ugorji commented 10 months ago

Fixed with f7f63a0a821cb85bc908002b89754aa954ed76ea