Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2373 (closed defect: fixed)

Opened 9 years ago

Last modified 9 years ago

@expose('json') won't return lists

Reported by: seedifferently Owned by:
Priority: normal Milestone: 2.1a2
Component: TurboGears Version: 2.1a1
Severity: normal Keywords:


When you return a list in a method that is @expose('json'), you instead get a concatenated string.

Take this method for example:

    def list_test(self):
        l = []
        l.append({'one': 1})
        l.append({'two': 2})
        l.append({'three': 3})
        return l

I believe this should return:

[{"one": 1}, {"two": 2}, {"three": 3}]

but instead it returns:

{'one': 1}{'two': 2}{'three': 3}

Change History

comment:1 Changed 9 years ago by chrisz

This is a duplicate of #2034.

Actually, the standard behavior of TG (WSGI, CherryPy?) is to concatenate any sequenced output. But for JSON one might also expect that a list is return as a JSON array.

The ZEN of Python says "In the face of ambiguity, refuse the temptation to guess." So maybe instead of concatenating the list as strings, in the case of JSON we should actually raise an error starting with TG 2.1.

The error message should also mention the security issues involved with using top level JSON arrays, and recommend using a dict instead or setting a config switch to allow this (yet to be implemented).

Leaving this ticket open to collect opinions about that.

comment:2 Changed 9 years ago by seedifferently

Sorry about the dupe, I did a search before posting but missed that.

I would recommend the error approach if this usage is going to continue to be blocked. Despite the security concerns, returning top level JSON arrays happens frequently. Simply "stringifying" the output is only going to confuse people.

My $.02,


comment:3 Changed 9 years ago by percious

  • Status changed from new to closed
  • Resolution set to fixed

I believe this is fixed with the TJ->SJ fixes. Im closing. Feel free to re-open if need-be.

comment:4 Changed 9 years ago by seedifferently

  • Status changed from closed to reopened
  • Version changed from 2.0.1 to 2.1a1
  • Resolution fixed deleted
  • Milestone changed from 2.1a1 to 2.1a2


I just tested this in 2.1a1 and while it does return an error now, the error is not very helpful:

TypeError: sequence of string values expected, value of type dict found

To me, that message should be the other way around.

comment:5 Changed 9 years ago by percious

The reason we don't want to return lists from a controller object:  http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

Also, anything that was not dict-like was formerly not being sent to the json renderer anyway, but this left us open to attack still because if you put a rendered list in the return object, it still rendered as a string, which still leaves you open to CRSF.

All this is fixed now.

comment:6 Changed 9 years ago by percious

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.