diff options
| author | Roland Shoemaker <roland@golang.org> | 2025-06-26 12:19:23 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-06-27 13:38:47 -0700 |
| commit | 2a22aefa1f7befb0ac7a95c918b75b05919c1907 (patch) | |
| tree | 29f11769b584193614d6313dcdbae58d6e153b11 /src/encoding/json/decode.go | |
| parent | 742fda95246958076e439bbcf71fedda43a894bb (diff) | |
| download | go-2a22aefa1f7befb0ac7a95c918b75b05919c1907.tar.xz | |
encoding/json: add security section to doc
Add a section to the package doc which details the security
considerations of using encoding/json, in particular with respect to
parser misalignment issues.
Additionally, clarify previously ambiguous statement in the Unmarshal
doc about how case is used when matching keys in objects, and add a note
about how duplicate keys are handled.
Fixes #14750
Change-Id: I66f9b845efd98c86a684d7333b3aa8a456564922
Reviewed-on: https://go-review.googlesource.com/c/go/+/684315
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Diffstat (limited to 'src/encoding/json/decode.go')
| -rw-r--r-- | src/encoding/json/decode.go | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/encoding/json/decode.go b/src/encoding/json/decode.go index 4e195e0948..70885a517e 100644 --- a/src/encoding/json/decode.go +++ b/src/encoding/json/decode.go @@ -43,11 +43,14 @@ import ( // and the input is a JSON quoted string, Unmarshal calls // [encoding.TextUnmarshaler.UnmarshalText] with the unquoted form of the string. // -// To unmarshal JSON into a struct, Unmarshal matches incoming object -// keys to the keys used by [Marshal] (either the struct field name or its tag), -// preferring an exact match but also accepting a case-insensitive match. By -// default, object keys which don't have a corresponding struct field are -// ignored (see [Decoder.DisallowUnknownFields] for an alternative). +// To unmarshal JSON into a struct, Unmarshal matches incoming object keys to +// the keys used by [Marshal] (either the struct field name or its tag), +// ignoring case. If multiple struct fields match an object key, an exact case +// match is preferred over a case-insensitive one. +// +// Incoming object members are processed in the order observed. If an object +// includes duplicate keys, later duplicates will replace or be merged into +// prior values. // // To unmarshal JSON into an interface value, // Unmarshal stores one of these in the interface value: |