Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2373 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

@expose('json') won't return lists

Reported by: seedifferently Owned by:
Priority: normal Milestone: 2.1a2
Component: TurboGears Version: 2.1a1
Severity: normal Keywords:


When you return a list in a method that is @expose('json'), you instead get a concatenated string.

Take this method for example:

    def list_test(self):
        l = []
        l.append({'one': 1})
        l.append({'two': 2})
        l.append({'three': 3})
        return l

I believe this should return:

[{"one": 1}, {"two": 2}, {"three": 3}]

but instead it returns:

{'one': 1}{'two': 2}{'three': 3}

Change History

comment:1 Changed 10 years ago by chrisz

This is a duplicate of #2034.

Actually, the standard behavior of TG (WSGI, CherryPy?) is to concatenate any sequenced output. But for JSON one might also expect that a list is return as a JSON array.

The ZEN of Python says "In the face of ambiguity, refuse the temptation to guess." So maybe instead of concatenating the list as strings, in the case of JSON we should actually raise an error starting with TG 2.1.

The error message should also mention the security issues involved with using top level JSON arrays, and recommend using a dict instead or setting a config switch to allow this (yet to be implemented).

Leaving this ticket open to collect opinions about that.

comment:2 Changed 10 years ago by seedifferently

Sorry about the dupe, I did a search before posting but missed that.

I would recommend the error approach if this usage is going to continue to be blocked. Despite the security concerns, returning top level JSON arrays happens frequently. Simply "stringifying" the output is only going to confuse people.

My $.02,


comment:3 Changed 10 years ago by percious

  • Status changed from new to closed
  • Resolution set to fixed

I believe this is fixed with the TJ->SJ fixes. Im closing. Feel free to re-open if need-be.

comment:4 Changed 10 years ago by seedifferently

  • Status changed from closed to reopened
  • Version changed from 2.0.1 to 2.1a1
  • Resolution fixed deleted
  • Milestone changed from 2.1a1 to 2.1a2


I just tested this in 2.1a1 and while it does return an error now, the error is not very helpful:

TypeError: sequence of string values expected, value of type dict found

To me, that message should be the other way around.

comment:5 Changed 10 years ago by percious

The reason we don't want to return lists from a controller object:  http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

Also, anything that was not dict-like was formerly not being sent to the json renderer anyway, but this left us open to attack still because if you put a rendered list in the return object, it still rendered as a string, which still leaves you open to CRSF.

All this is fixed now.

comment:6 Changed 10 years ago by percious

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.