Fix handling of extraneous data in Unmarshal() & Valid() #380
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, Unmarshal() and Valid() ignored extra data (if any) after the current CBOR data item. This matched the behavior of Decoder.Decode(). However, Unmarshal() and Valid() are typically used for single CBOR data item, so extra data (if present) should return ExtraneousDataError. This is a bug fix because the previous behavior of ignoring extra data didn't exactly match RFC 8949 regarding this and was also different from how encoding/json handles this. The behavior for Decoder.Decode() is unchanged because extra data after reading a single CBOR data item is expected for Decoder with io.Reader. Special thanks to zensh for reporting this issue and proposing a solution.
x448
approved these changes
Jan 1, 2023
6 tasks
This was referenced Aug 31, 2023
fxamacker
changed the title
leif
added a commit
to katzenpost/katzenpost
that referenced
this pull request
Feb 7, 2024
this requires that ping use this: https://pkg.go.dev/github.com/fxamacker/cbor/v2#UnmarshalFirst to unmarshal the padded payload and ignore the padding, due to this change in the cbor library: fxamacker/cbor#380
mixmasala
added a commit
to katzenpost/katzenpost
that referenced
this pull request
Mar 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously,
Unmarshal()andValid()ignored trailing bytes (if any) after the current CBOR data item. This matched the behavior ofDecoder.Decode().However,
Unmarshal()andValid()are typically used for single CBOR data item, so trailing bytes (if present) should return ExtraneousDataError given what RFC 8949 says:This is a bug fix rather than a new non-default option because the previous behavior of ignoring extra data didn't exactly match RFC 8949 and was also different from how
Marshal()inencoding/jsonhandles extraneous data.Special thanks to @zensh for reporting this issue and proposing a solution.
Closes #359
How to handle extraneous data as non-errors
Decoder.Decode()andUnmarshalFirst()can handle extraneous data as non-errors.Decoder.Decode()usesio.Readerand ignores remaining bytes after reading a single CBOR data item. By design, it does not treat extraneous data as an error.🆕
UnmarshalFirst()will decode first CBOR data item and return trailing bytes (if any). By design, it will not treat extraneous data as an error.Decoder.Decode()andUnmarshalFirst()are also useful for decoding CBOR Sequences (RFC 8742).