[Buildroot] [PATCH] package/plg-utils: escape \ in generated legal-info

Peter Korsgaard peter at korsgaard.com
Sun Feb 7 09:35:44 UTC 2021


>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

 > In the output of legal-info, which is JSON-formatted, we include the
 > CPI_ID (when it is valid).

 > For xerces, the CPE_IS contains two sequences aof \+ (which is exactly
 > what is present in the NIST DB, [0]).

 > However, in JSON, like in C, \ escapes the following character; only a
 > very limited set of characters are valid to escape: " \ / b f n r t u.
 > Escaping any other character is invalid. Conformant JSON parser will
 > choke on invalid sequences, and so does not the json python module:

 >       File "/usr/lib/python2.7/json/decoder.py", line 380, in raw_decode
 >         obj, end = self.scan_once(s, idx)
 >     ValueError: Invalid \escape: line 1 column 608554 (char 608553)

 > We fix that be globally escaping \ in our json output, in the generic
 > sanitsing macro.

 > [0] https://nvd.nist.gov/products/cpe/detail/645?namingFormat=2.3&orderBy=CPEURI&keyword=xerces&status=FINAL

I still wonder if it wouldn't be better to not have the backslashes in
the variable and do whatever escaping is needed inside the CVE logic,
but OK - We need a quick fix and this solves it.

Perhaps we should add a gitlab test to verify that we generate valid
json, E.G. by piping it to jq (or similar).

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list