Add security considerations

awwright · awwright · commit 69d7ed3089c5 · 2016-09-14T02:22:21.000-07:00
diff --git a/jsonschema-core.xml b/jsonschema-core.xml
@@ -644,6 +644,9 @@ Link: </alice>; rel="profile", </bob>; rel="profile"
                 Validators should take care that the parsing of schemas doesn't consume excessive system resources.
                 Validators MUST NOT fall into an infinite loop.
             </t>
+            <t>
+                Individual JSON Schema vocabularies are liable to also have their own security considerations. Consult the respective specifications for more information.
+            </t>
         </section>
 
         <section title="IANA Considerations">
diff --git a/jsonschema-schema.xml b/jsonschema-schema.xml
@@ -739,8 +739,13 @@
 
         <section title="Security considerations">
             <t>
-                JSON Schema validation does not have any additional security considerations than
-                those defined by the JSON Schema core specification.
+                JSON Schema validation defines a vocabulary for JSON Schema core and conserns all the security considerations listed there.
+            </t>
+            <t>
+                JSON Schema validation allows the use of Regular Expressions, which have numerous different (often incompatible) implementations.
+                Some implementations allow the embedding of arbritrary code, which is outside the scope of JSON Schema and MUST NOT be permitted.
+                Regular expressions can often also be crafted to be extremely expensive to compute (with so-called "catastrophic backtracking"),
+                resulting in a denial-of-service attack.
             </t>
         </section>
 
