last key wins is terrible advice and has serious security implications. see http... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cowl on Nov 6, 2023 \| parent \| context \| favorite \| on: Building a high performance JSON parser last key wins is terrible advice and has serious security implications. see https://bishopfox.com/blog/json-interoperability-vulnerabili... or https://www.cvedetails.com/cve/CVE-2017-12635/ for concrete examples where this treatment causes security issues. the https://datatracker.ietf.org/doc/html/rfc7493 defines a more strict format where duplicate keys are not allowed.

kiitos on Nov 9, 2023 [–]

Last key wins is the most common behavior among widely-used implementations. It should be assumed as the default.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact