draft-ietf-cbor-array-tags-05.txt   draft-ietf-cbor-array-tags-06.txt 
Network Working Group C. Bormann, Ed. Network Working Group C. Bormann, Ed.
Internet-Draft Universitaet Bremen TZI Internet-Draft Universitaet Bremen TZI
Intended status: Informational June 20, 2019 Intended status: Informational August 14, 2019
Expires: December 22, 2019 Expires: February 15, 2020
Concise Binary Object Representation (CBOR) Tags for Typed Arrays Concise Binary Object Representation (CBOR) Tags for Typed Arrays
draft-ietf-cbor-array-tags-05 draft-ietf-cbor-array-tags-06
Abstract Abstract
The Concise Binary Object Representation (CBOR, RFC 7049) is a data The Concise Binary Object Representation (CBOR, RFC 7049) is a data
format whose design goals include the possibility of extremely small format whose design goals include the possibility of extremely small
code size, fairly small message size, and extensibility without the code size, fairly small message size, and extensibility without the
need for version negotiation. need for version negotiation.
The present document makes use of this extensibility to define a The present document makes use of this extensibility to define a
number of CBOR tags for typed arrays of numeric data, as well as two number of CBOR tags for typed arrays of numeric data, as well as two
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2019. This Internet-Draft will expire on February 15, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 14, line 5 skipping to change at page 13, line 17
The security considerations of RFC 7049 apply; special attention is The security considerations of RFC 7049 apply; special attention is
drawn to the second paragraph of Section 8 of RFC 7049. drawn to the second paragraph of Section 8 of RFC 7049.
The Tag for homogeneous arrays makes a promise about its tagged data The Tag for homogeneous arrays makes a promise about its tagged data
item that a maliciously constructed CBOR input can then choose to item that a maliciously constructed CBOR input can then choose to
ignore. As always, the decoder therefore has to ensure that it is ignore. As always, the decoder therefore has to ensure that it is
not driven into an undefined state by array elements that do not not driven into an undefined state by array elements that do not
fulfill the promise and that it does continue to fulfill its API fulfill the promise and that it does continue to fulfill its API
contract in this case as well. contract in this case as well.
As with all formats that are used for data interchange, an attacker
may have control over the shape of the data delivered as input to the
application, which therefore needs to validate that shape before it
makes it the basis of its further processing. One unique aspect that
typed arrays add to this is that an attacker might substitute a
Uint8ClampedArray for where the application expects a Uint8Array, or
vice versa, potentially leading to very different (and unexpected)
processing semantics of the in-memory data structures constructed.
Applications that could be affected by this therefore will need to be
careful about making this distinction in their input validation.
8. References 8. References
8.1. Normative References 8.1. Normative References
[IEEE754] IEEE, "IEEE Standard for Floating-Point Arithmetic", IEEE [IEEE754] IEEE, "IEEE Standard for Floating-Point Arithmetic", IEEE
Std 754-2008. Std 754-2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
 End of changes. 4 change blocks. 
4 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/