[Tarantool-patches] [PATCH] json: fix silent change of global json settings

Nikita Pettik korablev at tarantool.org
Mon Feb 10 16:08:23 MSK 2020


On 10 Feb 10:57, Olga Arkhangelskaia wrote:
> When json.decode is used with 2 arguments, 2nd argument seeps out to global
> json settings. Morover, 

Nit: Moreover.

> due to current serialier.cfg implementation it

-> serializer

> remains invisible while checking settings by json.cfg. To prevent sucj

-> such

> behaviour we stop writing to global serializer struct and use local one,
> to get one-time action.
> As was mention before json.cfg can not be trusted in this case, so to check that
> everything remained unchanged we call decode twice with and without 2nd
> argument.
> 
> Closes #4761

Note that there's no 'Closes #4761' label on your actual branch.
I guess you simply forgot to push updated branch.

> ---
> +    --
> +    -- gh-4761 json.decode silently changes global settings of json when called
> +    -- with 2d parameter
> +    --
> +    test:ok(pcall(serializer.decode,'{"1":{"b":{"c":1,"d":null}},"a":1}'))
>  
>      --
>      -- gh-3514: fix parsing integers with exponent in json
> diff --git a/third_party/lua-cjson/lua_cjson.c b/third_party/lua-cjson/lua_cjson.c
> index 3d25814f3..f855cbd80 100644
> --- a/third_party/lua-cjson/lua_cjson.c
> +++ b/third_party/lua-cjson/lua_cjson.c
> @@ -1004,13 +1004,13 @@ static int json_decode(lua_State *l)
>      luaL_argcheck(l, lua_gettop(l) == 2 || lua_gettop(l) == 1, 1,
>                    "expected 1 or 2 arguments");
>  
> +    struct luaL_serializer *cfg = luaL_checkserializer(l);

Nit: I'd add a brief comment here (to avoid any confusions concerning
copying object on the stack):

diff --git a/third_party/lua-cjson/lua_cjson.c b/third_party/lua-cjson/lua_cjson.c
index f855cbd80..c9c987c8c 100644
--- a/third_party/lua-cjson/lua_cjson.c
+++ b/third_party/lua-cjson/lua_cjson.c
@@ -1006,6 +1006,14 @@ static int json_decode(lua_State *l)
 
     struct luaL_serializer *cfg = luaL_checkserializer(l);
     struct luaL_serializer user_cfg = *cfg;
+    /*
+     * user_cfg is per-call local version of global cfg: it is
+     * used if user passes custom options to :decode() method
+     * as a separate arguments. In this case it is required
+     * to avoid modifying global parameters. Life span of
+     * user_cfg is restricted by the scope of :decode() so it
+     * is enough to allocate it on the stack.
+     */
     json.cfg = cfg;
     if (lua_gettop(l) == 2) {

> +    struct luaL_serializer user_cfg = *cfg;
> +    json.cfg = cfg;

What is more, you can avoid premature copying on the stack:

@@ -1005,9 +1005,10 @@ static int json_decode(lua_State *l)
                   "expected 1 or 2 arguments");
 
     struct luaL_serializer *cfg = luaL_checkserializer(l);
-    struct luaL_serializer user_cfg = *cfg;
+    struct luaL_serializer user_cfg;
     json.cfg = cfg;
     if (lua_gettop(l) == 2) {
+        user_cfg = *cfg;
         luaL_serializer_parse_options(l, &user_cfg);
         lua_pop(l, 1);
         json.cfg = &user_cfg;

>      if (lua_gettop(l) == 2) {
> -        struct luaL_serializer *user_cfg = luaL_checkserializer(l);
> -        luaL_serializer_parse_options(l, user_cfg);
> +        luaL_serializer_parse_options(l, &user_cfg);


More information about the Tarantool-patches mailing list