Download Latest Version
v1.3.6 source code.zip (144.4 kB)
Get an email when there's a new version of spray-json
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| 1.3.5 source code.tar.gz | 2018-11-08 | 119.4 kB | |
| 1.3.5 source code.zip | 2018-11-08 | 143.6 kB | |
| README.md | 2018-11-08 | 1.1 kB | |
| Totals: 3 Items | 264.1 kB | 0 | |
See the milestone for all changes.
Security fix for several Denial Of Service vulnerabilities:
- CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
- CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)
Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.
Migration Notes
For some fixes, we added new limits to the parser:
- Maximum depth of nested JSON values, defaults to 1000
- Maximum characters for number values, defaults to 100
We introduced a JsonParserSettings class which can be used to customize these limits. New overloads for JsonParser.apply and String.parseJson have been introduced to specify custom settings.
Also, field ordering changed when printing a JsValue. Use jsValue.sortedPrint if you want to be sure fields are always ordered the same.
