CVE-2018-1000656 - JSON data encoding vulnerability

[messa]

I've found out there was a vulnerability reported in Flask: CVE-2018-1000656

I don't know the details (could not find any exploit), but in Flask it was fixed by accepting JSON POST data only in UTF-* charset.

Perhaps aiohttp has the same issue? It looks like JSON decoding just takes whatever charset is provided in request Content-Type header.

[aio-libs-bot]

GitMate.io thinks the contributor most likely able to help you is @asvetlov.

Possibly related issues are #2467 (XSS Vulnerability), #815 (r.json() ), #2497 (ClientSession keep transferring data after closed), #487 (Issue with mailgun routed data?), and #1600 (aiohttp for long data processing).

[asvetlov]

I don't see how Flask issue is related to aiohttp.
Please feel free to create a new issue if you'll find a real use case (more detailed vulnerability report is necessary).

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.