json 2.19.1 → 2.19.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +8 -0
  3. data/ext/json/ext/parser/parser.c +22 -5
  4. data/lib/json/version.rb +1 -1
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 04f1d3824b8119f86068d5c61701115a38fd9b0b37e59fb868baca59cb49fe6c
4
- data.tar.gz: f9267f5bf2c12bd5762878b31873052b85022354da9dc347d06f05fa0dd2f5e6
3
+ metadata.gz: 3182d9103a2ee3b673b923a4789e947a9cddb850f870f7fdb54d93f3bd1a5493
4
+ data.tar.gz: 0ee85345c9e1c99223f9cc3e859e4a7295f40f88461ca0f47059cfcc4e80154c
5
5
  SHA512:
6
- metadata.gz: 03777fe540a81fa223ca8990d4f9128d97ad57e795fda888ad8a8914208ed5950b1c49d90488a58827d252245d624953750142578b13eacfb82843fd17fb409e
7
- data.tar.gz: 747625c3e441fe66d20710b4029b0b650e54e60313700d3c849b306c1ce2fac7a94dc9471962ccccea0a64031499adae59270149b4f70ed64795f269939fb6c5
6
+ metadata.gz: dedf64066bc4017b977330468b01613ce1d4a78c267b38519b7ef2705368e5d73187b64ca99777afaf900cc5f58523a722833e83c0ee011944bf15b34c33479e
7
+ data.tar.gz: c187fa755e0a7bd2e2ddb74498062a8138ac4882630713e3372886b5648a22a453b1a388174038b2d4144a724e1d44d5b444b190e49e3e7eb2047d8b98eef0a8
data/CHANGES.md CHANGED
@@ -2,6 +2,14 @@
2
2
 
3
3
  ### Unreleased
4
4
 
5
+ ### 2026-03-25 (2.19.3)
6
+
7
+ * Fix handling of unescaped control characters preceeded by a backslash.
8
+
9
+ ### 2026-03-18 (2.19.2)
10
+
11
+ * Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
12
+
5
13
  ### 2026-03-08 (2.19.1)
6
14
 
7
15
  * Fix a compiler dependent GC bug introduced in `2.18.0`.
data/ext/json/ext/parser/parser.c CHANGED
@@ -402,11 +402,9 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state)
402
402
 
403
403
  #define PARSE_ERROR_FRAGMENT_LEN 32
404
404
 
405
- NORETURN(static) void raise_parse_error(const char *format, JSON_ParserState *state)
405
+ static VALUE build_parse_error_message(const char *format, JSON_ParserState *state, long line, long column)
406
406
  {
407
407
  unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3];
408
- long line, column;
409
- cursor_position(state, &line, &column);
410
408
 
411
409
  const char *ptr = "EOF";
412
410
  if (state->cursor && state->cursor < state->end) {
@@ -441,11 +439,23 @@ NORETURN(static) void raise_parse_error(const char *format, JSON_ParserState *st
441
439
  VALUE msg = rb_sprintf(format, ptr);
442
440
  VALUE message = rb_enc_sprintf(enc_utf8, "%s at line %ld column %ld", RSTRING_PTR(msg), line, column);
443
441
  RB_GC_GUARD(msg);
442
+ return message;
443
+ }
444
444
 
445
+ static VALUE parse_error_new(VALUE message, long line, long column)
446
+ {
445
447
  VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message);
446
448
  rb_ivar_set(exc, rb_intern("@line"), LONG2NUM(line));
447
449
  rb_ivar_set(exc, rb_intern("@column"), LONG2NUM(column));
448
- rb_exc_raise(exc);
450
+ return exc;
451
+ }
452
+
453
+ NORETURN(static) void raise_parse_error(const char *format, JSON_ParserState *state)
454
+ {
455
+ long line, column;
456
+ cursor_position(state, &line, &column);
457
+ VALUE message = build_parse_error_message(format, state, line, column);
458
+ rb_exc_raise(parse_error_new(message, line, column));
449
459
  }
450
460
 
451
461
  NORETURN(static) void raise_parse_error_at(const char *format, JSON_ParserState *state, const char *at)
@@ -748,7 +758,9 @@ NOINLINE(static) VALUE json_string_unescape(JSON_ParserState *state, JSON_Parser
748
758
  }
749
759
  raise_parse_error_at("invalid ASCII control character in string: %s", state, pe - 1);
750
760
  }
751
- } else if (config->allow_invalid_escape) {
761
+ }
762
+
763
+ if (config->allow_invalid_escape) {
752
764
  APPEND_CHAR(*pe);
753
765
  } else {
754
766
  raise_parse_error_at("invalid escape character in string: %s", state, pe - 1);
@@ -895,6 +907,11 @@ NORETURN(static) void raise_duplicate_key_error(JSON_ParserState *state, VALUE d
895
907
  rb_inspect(duplicate_key)
896
908
  );
897
909
 
910
+ long line, column;
911
+ cursor_position(state, &line, &column);
912
+ rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
913
+ rb_exc_raise(parse_error_new(message, line, column));
914
+
898
915
  raise_parse_error(RSTRING_PTR(message), state);
899
916
  RB_GC_GUARD(message);
900
917
  }
data/lib/json/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module JSON
4
- VERSION = '2.19.1'
4
+ VERSION = '2.19.3'
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.19.1
4
+ version: 2.19.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Florian Frank