On Tue, Jul 15, 2014 at 1:59 PM, Bryan O'Sullivan <b...@serpentine.com>
wrote:
> Well, it was rather late to hear that you weren't going to upgrade
> attoparsec, too ;-)
>
On Sun, Mar 30, 2014 at 1:06 PM, Mark Lentczner <mark.lentcz...@gmail.com>
wrote:
> SO, In anticipation of releasing a HP shortly (1 month?) after GHC 7.8...
> I'd like to get going on nailing down package versions.
>
>
, incLib "attoparsec" "0.10.4.0"
>
> In brief, an attacker can DoS a user of attoparsec by handing them a
> floating point number with a sufficiently large exponent (e.g.
> 1e1000000000). This will cause it to try to create an Integer with the
> given number of digits, thus possibly OOMing a machine or crashing a
> process.
>
But only if you use the Data.Atooparsec.Text parsers double, number, and
rational parser, right?
- Mark
_______________________________________________
Haskell-platform mailing list
Haskell-platform@projects.haskell.org
http://projects.haskell.org/cgi-bin/mailman/listinfo/haskell-platform
