-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
response.json() fails when while(1); is in response body #4454
Comments
There's a lot of different anti-hijacking methods for instance I've heard of |
Hey @jessemcbride, thanks for starting the conversation on this. I was under the impression we’d discussed something along these lines before but can’t find a ticket for reference. My general thoughts are that That said, if this is a common case for you, it’s pretty easy to handle. You can do something like: r = requests.get(url)
json_content = json.loads(r.content.strip(‘while(1);’)) Since this is easily implemented by the user, and as @SethMichaelLarson noted there’s more than just |
@nateprewitt I think this might be the one you're looking for? #4291 (comment) In any case, I agree with your assessment. There are too many edge cases. It's a bummer that JavaScript presents such a vulnerability in the first place :(. Thank you for your feedback. We'll go ahead and manually patch our code to handle this. Before closing this, though, I wonder if there might be some way to document this as the intended behavior? A section on manually parsing tricky responses might do it. I'd be happy to submit a PR. |
@jessemcbride It looks like our intro docs and the method's docstring specify that From some quick digging, it looks like Google and Facebook implement the stops as Unless another maintainer feels strongly this would be a needed addition, this is probably a better topic for a blog or simply a comment in this issue. Thanks again for getting the discussion going though! |
In an effort to prevent JSON hijacking, some providers append
while(1);
before their JSON response. This doesn't appear to be filtered out by requests automatically, and the end result is aValueError
.Expected Result
A JSON response of this form:
should properly translate to a Python dictionary when calling
response.json()
:Actual Result
response.json()
results in an exception:Reproduction Steps
System Information
FWIW, I'm not totally convinced that requests should be responsible for fixing this. I'd like to open that up for discussion, though, as we were surprised by the behavior.
The text was updated successfully, but these errors were encountered: