[Git][ghc/ghc][master] base: Advertise linear time of readFloat
Marge Bot (@marge-bot)
gitlab at gitlab.haskell.org
Mon Sep 18 19:17:12 UTC 2023
Marge Bot pushed to branch master at Glasgow Haskell Compiler / GHC
Commits:
7ca0240e by Ben Gamari at 2023-09-18T15:16:48-04:00
base: Advertise linear time of readFloat
As noted in #23538, `readFloat` has runtime that scales nonlinearly in
the size of its input. Consequently, its use on untrusted input can
be exploited as a denial-of-service vector. Point this out and suggest
use of `read` instead.
See #23538.
- - - - -
1 changed file:
- libraries/base/Numeric.hs
Changes:
=====================================
libraries/base/Numeric.hs
=====================================
@@ -117,6 +117,14 @@ readHex = readP_to_S L.readHexP
-- | Reads an /unsigned/ 'RealFrac' value,
-- expressed in decimal scientific notation.
+--
+-- Note that this function takes time linear in the magnitude of its input
+-- which can scale exponentially with input size (e.g. @"1e100000000"@ is a
+-- very large number while having a very small textual form).
+-- For this reason, users should take care to avoid using this function on
+-- untrusted input. Users needing to parse floating point values
+-- (e.g. 'Float') are encouraged to instead use 'read', which does
+-- not suffer from this issue.
readFloat :: RealFrac a => ReadS a
readFloat = readP_to_S readFloatP
View it on GitLab: https://gitlab.haskell.org/ghc/ghc/-/commit/7ca0240e835353007c0c2e013570cc1d6fa5f4fb
--
View it on GitLab: https://gitlab.haskell.org/ghc/ghc/-/commit/7ca0240e835353007c0c2e013570cc1d6fa5f4fb
You're receiving this email because of your account on gitlab.haskell.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/ghc-commits/attachments/20230918/6219d2d7/attachment.html>
More information about the ghc-commits
mailing list