[Git][ghc/ghc][master] base: Advertise linear time of readFloat

[Marge Bot (@marge-bot)]

Marge Bot pushed to branch master at Glasgow Haskell Compiler / GHC


Commits:
7ca0240e by Ben Gamari at 2023-09-18T15:16:48-04:00
base: Advertise linear time of readFloat

As noted in #23538, `readFloat` has runtime that scales nonlinearly in
the size of its input. Consequently, its use on untrusted input can
be exploited as a denial-of-service vector. Point this out and suggest
use of `read` instead.

See #23538.

- - - - -


1 changed file:

- libraries/base/Numeric.hs


Changes:

=====================================
libraries/base/Numeric.hs
=====================================
@@ -117,6 +117,14 @@ readHex = readP_to_S L.readHexP
 
 -- | Reads an /unsigned/ 'RealFrac' value,
 -- expressed in decimal scientific notation.
+--
+-- Note that this function takes time linear in the magnitude of its input
+-- which can scale exponentially with input size (e.g. @"1e100000000"@ is a
+-- very large number while having a very small textual form).
+-- For this reason, users should take care to avoid using this function on
+-- untrusted input. Users needing to parse floating point values
+-- (e.g. 'Float') are encouraged to instead use 'read', which does
+-- not suffer from this issue.
 readFloat :: RealFrac a => ReadS a
 readFloat = readP_to_S readFloatP
 



View it on GitLab: https://gitlab.haskell.org/ghc/ghc/-/commit/7ca0240e835353007c0c2e013570cc1d6fa5f4fb

-- 
View it on GitLab: https://gitlab.haskell.org/ghc/ghc/-/commit/7ca0240e835353007c0c2e013570cc1d6fa5f4fb
You're receiving this email because of your account on gitlab.haskell.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/ghc-commits/attachments/20230918/6219d2d7/attachment.html>