Index: ext/misc/json1.c ================================================================== --- ext/misc/json1.c +++ ext/misc/json1.c @@ -783,11 +783,11 @@ /* Parse string */ u8 jnFlags = 0; j = i+1; for(;;){ c = z[j]; - if( c==0 ) return -1; + if( c<=0x1f ) return -1; /* Control characters not allowed in strings */ if( c=='\\' ){ c = z[++j]; if( c=='"' || c=='\\' || c=='/' || c=='b' || c=='f' || c=='n' || c=='r' || c=='t' || (c=='u' && jsonIs4Hex(z+j+1)) ){ Index: test/json102.test ================================================================== --- test/json102.test +++ test/json102.test @@ -316,7 +316,18 @@ do_execsql_test json102-1408 { SELECT json_valid('{"x":-0.0000}') } 1 do_execsql_test json102-1409 { SELECT json_valid('{"x":01.5}') } 0 do_execsql_test json102-1410 { SELECT json_valid('{"x":-01.5}') } 0 do_execsql_test json102-1411 { SELECT json_valid('{"x":00}') } 0 do_execsql_test json102-1412 { SELECT json_valid('{"x":-00}') } 0 + +#------------------------------------------------------------------------ +# 2017-04-10 ticket 6c9b5514077fed34551f98e64c09a10dc2fc8e16 +# JSON extension accepts strings containing control characters. +# +# The JSON spec requires that all control characters be escaped. +# +do_execsql_test json102-1500 { + WITH RECURSIVE c(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM c WHERE x<0x20) + SELECT x FROM c WHERE json_valid(printf('{"a":"x%sz"}', char(x))) ORDER BY x; +} {32} finish_test