<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jul 15, 2014 at 1:59 PM, Bryan O'Sullivan <span dir="ltr"><<a href="mailto:bos@serpentine.com" target="_blank">bos@serpentine.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">
<div>Well, it was rather late to hear that you weren't going to upgrade attoparsec, too ;-)</div></div></div></div></blockquote><div><br></div><br class="">On Sun, Mar 30, 2014 at 1:06 PM, Mark Lentczner <span dir="ltr"><<a href="mailto:mark.lentczner@gmail.com" target="_blank">mark.lentczner@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">SO, In anticipation of releasing a HP shortly (1 month?) after GHC 7.8... I'd like to get going on nailing down package versions. </div>
</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><font face="courier new, monospace"> </font> </div>
</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><font face="courier new, monospace"> , incLib "attoparsec" "0.10.4.0"</font></div>
</blockquote><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">
<div class="gmail_quote"><div>In brief, an attacker can DoS a user of attoparsec by handing them a floating point number with a sufficiently large exponent (e.g. 1e1000000000). This will cause it to try to create an Integer with the given number of digits, thus possibly OOMing a machine or crashing a process.</div>
</div></div></div></blockquote><div><br></div><div>But only if you use the Data.Atooparsec.Text parsers <font face="courier new, monospace">double</font>, <font face="courier new, monospace">number</font><font face="arial, helvetica, sans-serif">, and </font><font face="courier new, monospace">rational</font> parser, right?</div>
<div><br></div><div>- Mark</div><div><br></div><div><br></div></div></div></div>