parse_duration: `parse` DoS through payloads with big exponent by disconnect3d ·...
source link: https://github.com/rustsec/advisory-db/pull/827
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Conversation
No description provided.
It looks like the directory the advisory is inside of doesn't match the package name, i.e.:
crates/parse_duration
should be crates/parse-duration
changed the title
parse_duration: parse
denial of service through payloads with big exponent
parse-duration: parse
DoS through payloads with big exponent
It looks like the directory the advisory is inside of doesn't match the package name, i.e.:
crates/parse_duration
should becrates/parse-duration
Fixed!
Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration
So: crates/parse-duration
should be crates/parse_duration
Sorry about that
changed the title
parse-duration: parse
DoS through payloads with big exponent
parse_duration: parse
DoS through payloads with big exponent
Haha; fixed! :)
Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration
So:
crates/parse-duration
should becrates/parse_duration
Sorry about that
Hmm the linter says it should be parse-duration
If the crate developers want to report this, I don't see why not include this advisory.
If the crate developers want to report this, I don't see why not include this advisory.
Just to be clear: I am not the parse_duration
crate developer. I found this issue independently while someone else also reported it a year ago. There was no response from the maintainer or fix since then. Anyway, I think making people aware of this issue by adding it to RustSec (and so e.g. cargo audit
) may benefit projects who use or would use this crate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
No one assigned
None yet
No milestone
Successfully merging this pull request may close these issues.
None yet
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK