Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
deepsun 4 months ago

Some parsers, like PHP, may treat 65537 and "65537" the same. Room for vulnerability.

int_19h 4 months ago | parent [-]

Why would they do so? It's semantically distinct JSON, even JS itself treats it differently?

dwattttt 4 months ago | parent | next [-]

Time for a trip to the Abbey of Hidden Absurdities.

http://www.thecodelesscode.com/case/161

hiciu 4 months ago | parent | prev [-]

It's PHP. Handling numbers in PHP is complicated enough that a reasonable person would not trust it by default.

https://www.php.net/manual/en/language.types.numeric-strings...

int_19h 4 months ago | parent [-]

I know that PHP will treat a string as if it were a number if you try to use it in a context where number is expected; JS does the same thing. But why would that affect JSON deserialization in a way that makes numbers and strings indistinguishable in principle (causing the loss of precision as described here)?