Tighten restrictions on float decoding #171
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
April 26, 2016 13:37
ParseFloat() accepts strings that contain digits with a single 'e' character somewhere in the middle as valid floats. The YAML spec does not accept these. This causes problems especially when dealing with short commit hashes, e.g. `123456e1` This regex isn't exactly the same as the YAML spec. It continues to allow decimals like `0.1` to be parsed as floats.
|
Signed the individual agreement as we don't have an org-wide one set up. |
|
@niemeyer Just wanted to ping you on this, I realized that I edited the comment but that may not have generated a new notification. |
|
Could really use this. It prevents yaml generated from other languages from being consumed by Go. |
|
@niemeyer Since the license changed, should I close and resubmit this PR? I'm fine with my change being Apache 2 licensed, so I can also leave it as is. |
|
Thanks, and sorry for the long delay. |
im-kulikov
pushed a commit
to im-kulikov/yaml
that referenced
this pull request
Jan 5, 2018
ParseFloat() accepts strings that contain digits with a single 'e' character somewhere in the middle as valid floats. The YAML spec does not accept these. This causes problems especially when dealing with short commit hashes, e.g. `123456e1`
laszlocph
added a commit
to laszlocph/yaml
that referenced
this pull request
Nov 14, 2019
* v/fix-for-issue-91: (40 commits) Add test cases from go-yaml#184 Fix for issue go-yaml#91 Fixes go-yaml#214 - New option to allow setting strict boolean mode Fix for issue go-yaml#144 Always use the pointer mechanism, but only allow recursion per option Applied API changes as suggested in another PR and fixed outstanding problems Removed introduced shadowing bug Make aliases share the same memory address as the anchor ( go-yaml#215 ) Replace LICENSE text with actual license (go-yaml#274) Make tag scanning code slightly cleaner. move embedded struct example into godoc Add UnmarshalStrict returning error if yaml has fields that do not exist in structure correct misspell on yamlh.go fix misspell on emmiterc.go Remove unreachable code to fix go vet (go-yaml#249) Fix dead URL for yaml specification (go-yaml#240) Tighten restrictions on float decoding (go-yaml#171) Fix decode test for Go 1.8 (go-yaml#217) Fix unmarshaler handling of empty strings. new license in the README file (go-yaml#189) ...
thaJeztah
added a commit
to thaJeztah/yaml
that referenced
this pull request
Nov 28, 2019
full diff: go-yaml/yaml@v2.2.2...v2.2.7 includes: - go-yaml/yaml@caeefd8 addresses CVE-2019-11253 JSON/YAML parsing vulnerable to resource exhaustion attack - go-yaml/yaml#171 Tighten restrictions on float decoding - go-yaml/yaml#515 Add large document benchmarks, tune alias heuristic, add max depth limits - go-yaml/yaml@f90ceb4 fixes go-yaml/yaml#529 yaml.Unmarshal crashes on "assignment to entry in nil map" - go-yaml/yaml#543 Port stale simple_keys fix to v2 - go-yaml/yaml@1f64d61 fixes go-yaml/yaml#548 Invalid simple_keys now cause panics later in decode Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/yaml
that referenced
this pull request
Nov 28, 2019
full diff: go-yaml/yaml@v2.2.2...v2.2.7 includes: - go-yaml/yaml@caeefd8 addresses CVE-2019-11253 JSON/YAML parsing vulnerable to resource exhaustion attack - go-yaml/yaml#171 Tighten restrictions on float decoding - go-yaml/yaml#515 Add large document benchmarks, tune alias heuristic, add max depth limits - go-yaml/yaml@f90ceb4 fixes go-yaml/yaml#529 yaml.Unmarshal crashes on "assignment to entry in nil map" - go-yaml/yaml#543 Port stale simple_keys fix to v2 - go-yaml/yaml@1f64d61 fixes go-yaml/yaml#548 Invalid simple_keys now cause panics later in decode Signed-off-by: Sebastiaan van Stijn <[email protected]>
pivotaljohn
pushed a commit
to carvel-dev/ytt
that referenced
this pull request
Sep 4, 2021
The regular expression is copy & pasted form the one in the spec. The change suggested in go-yaml/yaml#171 and integrated was improper. Closes go-yaml/yaml#290 (cherry-pick of go-yaml/yaml@7b8349a) Signed-off-by: John Ryan <[email protected]>
cppforlife
added a commit
to carvel-dev/ytt
that referenced
this pull request
Sep 9, 2021
Parse floats correctly and fix mistake from go-yaml/yaml#171
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Golang checks for floats are more permissive than the YAML spec, causing problems when reading in commit hashes (strings) that are occasionally confused with floats. This change also matches the Ruby and Python implementations' behaviour.