-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent string slicing inside char boundaries #1024
Conversation
The failed CI run is unrelated to this PR. |
Can you just explain why this fixes it? It's not obvious to me why we even get the incorrect boundaries in there. |
The pattern in this module is that it takes the length of a possible match, say 5 bytes, and takes a slice of that length from the input (in bytes). The possible match and the slice are then compared case insensitively with the For just the comparison we don't care about proper character boundaries, but that means |
Don't we know up front that the "possible match" is up to a valid character boundary? |
Not with the way the code currently works. For example https://github.com/chronotope/chrono/blob/main/src/format/scan.rs#L167: pub(super) fn short_or_long_weekday(s: &str) -> ParseResult<(&str, Weekday)> {
// lowercased weekday names, minus first three chars
static LONG_WEEKDAY_SUFFIXES: [&str; 7] =
["day", "sday", "nesday", "rsday", "day", "urday", "day"];
let (mut s, weekday) = short_weekday(s)?;
// tries to consume the suffix if possible
let suffix = LONG_WEEKDAY_SUFFIXES[weekday.num_days_from_monday() as usize];
if s.len() >= suffix.len() && equals(&s[..suffix.len()], suffix) {
s = &s[suffix.len()..];
}
Ok((s, weekday))
} This will take up to 7 times a slice out of |
Thanks! |
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [chrono](https://github.com/chronotope/chrono) | dependencies | patch | `0.4.24` -> `0.4.26` | --- ### Release Notes <details> <summary>chronotope/chrono</summary> ### [`v0.4.26`](https://github.com/chronotope/chrono/releases/tag/v0.4.26): 0.4.26 [Compare Source](chronotope/chrono@v0.4.25...v0.4.26) The changes from [#​807](chronotope/chrono#807) we merged for 0.4.25 unfortunately restricted parsing in a way that was incompatible with earlier 0.4.x releases. We reverted this in [#​1113](chronotope/chrono#1113). A small amount of other changes were merged since. - Update README ([#​1111](chronotope/chrono#1111), thanks to [@​pitdicker](https://github.com/pitdicker)) - Revert backport of [#​807](chronotope/chrono#807) ([#​1113](chronotope/chrono#1113), thanks to [@​pitdicker](https://github.com/pitdicker)) - Update to 2021 edition ([#​1109](chronotope/chrono#1109), thanks to [@​tottoto](https://github.com/tottoto)) - Fix `DurationRound` panics from issue [#​1010](chronotope/chrono#1010) ([#​1093](chronotope/chrono#1093), thanks to [@​pitdicker](https://github.com/pitdicker)) - tests: date path consolidate (branch 0.4.x) ([#​1090](chronotope/chrono#1090), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - Parse tests nanosecond bare dot (branch 0.4.x) ([#​1098](chronotope/chrono#1098), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - yamllint cleanup lint.yml test.yml ([#​1102](chronotope/chrono#1102), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - Remove num-iter dependency ([#​1107](chronotope/chrono#1107), thanks to [@​tottoto](https://github.com/tottoto)) Thanks on behalf of the chrono team ([@​djc](https://github.com/djc) and [@​esheppa](https://github.com/esheppa)) to all contributors! ### [`v0.4.25`](https://github.com/chronotope/chrono/releases/tag/v0.4.25): 0.4.25 [Compare Source](chronotope/chrono@v0.4.24...v0.4.25) Time for another maintenance release. This release bumps the MSRV to 1.56; given MSRV bumps in chrono's dependencies (notably for syn 2), we felt that it no longer made sense to support any older versions. Feedback welcome in our issue tracker! ##### Additions - Bump the MSRV to 1.56 ([#​1053](chronotope/chrono#1053)) - Apply comments from MSRV bump ([#​1026](chronotope/chrono#1026), thanks to [@​pitdicker](https://github.com/pitdicker)) - Remove num-integer dependency ([#​1037](chronotope/chrono#1037), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add `NaiveDateTime::and_utc()` method ([#​952](chronotope/chrono#952), thanks to [@​klnusbaum](https://github.com/klnusbaum)) - derive `Hash` for most pub types that also derive `PartialEq` ([#​938](chronotope/chrono#938), thanks to [@​bruceg](https://github.com/bruceg)) - Add `parse_and_remainder()` methods ([#​1011](chronotope/chrono#1011), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add `DateTime::fix_offset()` ([#​1030](chronotope/chrono#1030), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add `#[track_caller]` to `LocalResult::unwrap` ([#​1046](chronotope/chrono#1046), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add `#[must_use]` to some methods ([#​1007](chronotope/chrono#1007), thanks to [@​aceArt-GmbH](https://github.com/aceArt-GmbH)) - Implement `PartialOrd` for `Month` ([#​999](chronotope/chrono#999), thanks to [@​Munksgaard](https://github.com/Munksgaard)) - Add `impl From<NaiveDateTime> for NaiveDate` ([#​1012](chronotope/chrono#1012), thanks to [@​pezcore](https://github.com/pezcore)) - Extract timezone info from tzdata file on Android ([#​978](chronotope/chrono#978), thanks to [@​RumovZ](https://github.com/RumovZ)) ##### Fixes - Prevent string slicing inside char boundaries ([#​1024](chronotope/chrono#1024), thanks to [@​pitdicker](https://github.com/pitdicker)) - fix IsoWeek so that its flags are always correct ([#​991](chronotope/chrono#991), thanks to [@​moshevds](https://github.com/moshevds)) - Fix out-of-range panic in `NaiveWeek::last_day` ([#​1070](chronotope/chrono#1070), thanks to [@​pitdicker](https://github.com/pitdicker)) - Use correct offset in conversion from `Local` to `FixedOffset` ([#​1041](chronotope/chrono#1041), thanks to [@​pitdicker](https://github.com/pitdicker)) - Fix military timezones in RFC 2822 parsing ([#​1013](chronotope/chrono#1013), thanks to [@​pitdicker](https://github.com/pitdicker)) - Guard against overflow in NaiveDate::with_\*0 methods ([#​1023](chronotope/chrono#1023), thanks to [@​pitdicker](https://github.com/pitdicker)) - Fix panic in from_num_days_from_ce_opt ([#​1052](chronotope/chrono#1052), thanks to [@​pitdicker](https://github.com/pitdicker)) ##### Refactoring - Rely on std for getting local time offset ([#​1072](chronotope/chrono#1072), thanks to [@​pitdicker](https://github.com/pitdicker)) - Make functions in internals const ([#​1043](chronotope/chrono#1043), thanks to [@​pitdicker](https://github.com/pitdicker)) - Refactor windows module in `Local` ([#​992](chronotope/chrono#992), thanks to [@​nekevss](https://github.com/nekevss)) - Simplify from_timestamp_millis, from_timestamp_micros ([#​1032](chronotope/chrono#1032), thanks to [@​pitdicker](https://github.com/pitdicker)) - Backport [#​983](chronotope/chrono#983) and [#​1000](chronotope/chrono#1000) ([#​1063](chronotope/chrono#1063), thanks to [@​pitdicker](https://github.com/pitdicker)) ##### Documentation - Backport documentation improvements ([#​1066](chronotope/chrono#1066), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add documentation for %Z quirk ([#​1051](chronotope/chrono#1051), thanks to [@​campbellcole](https://github.com/campbellcole)) - Add an example to Weekday ([#​1019](chronotope/chrono#1019), thanks to [@​pitdicker](https://github.com/pitdicker)) ##### Internal improvements - Gate test on `clock` feature ([#​1061](chronotope/chrono#1061), thanks to [@​pitdicker](https://github.com/pitdicker)) - CI: Also run tests with `--no-default-features` ([#​1059](chronotope/chrono#1059), thanks to [@​pitdicker](https://github.com/pitdicker)) - Prevent `bench_year_flags_from_year` from being optimized out ([#​1034](chronotope/chrono#1034), thanks to [@​pitdicker](https://github.com/pitdicker)) - Fix test_leap_second during DST transition ([#​1064](chronotope/chrono#1064), thanks to [@​pitdicker](https://github.com/pitdicker)) - Fix warnings when running tests on Windows ([#​1038](chronotope/chrono#1038), thanks to [@​pitdicker](https://github.com/pitdicker)) - Fix tests on AIX ([#​1028](chronotope/chrono#1028), thanks to [@​ecnelises](https://github.com/ecnelises)) - Fix doctest warnings, remove mention of deprecated methods from main doc ([#​1081](chronotope/chrono#1081), thanks to [@​pitdicker](https://github.com/pitdicker)) - Reformat `test_datetime_parse_from_str` ([#​1078](chronotope/chrono#1078), thanks to [@​pitdicker](https://github.com/pitdicker)) - GitHub yml shell `set -eux`, use bash ([#​1103](chronotope/chrono#1103), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - test: explicitly set `LANG` to `c` in gnu `date` ([#​1089](chronotope/chrono#1089), thanks to [@​scarf005](https://github.com/scarf005)) - Switch test to `TryFrom` ([#​1086](chronotope/chrono#1086), thanks to [@​pitdicker](https://github.com/pitdicker)) - Add test for issue 551 ([#​1020](chronotope/chrono#1020), thanks to [@​pitdicker](https://github.com/pitdicker)) - RFC 2822 single-letter obsolete tests ([#​1014](chronotope/chrono#1014), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - \[CI] Lint Windows target and documentation links ([#​1062](chronotope/chrono#1062), thanks to [@​pitdicker](https://github.com/pitdicker)) - add test_issue\_866 ([#​1077](chronotope/chrono#1077), thanks to [@​jtmoon79](https://github.com/jtmoon79)) - Remove AUTHORS metadata ([#​1074](chronotope/chrono#1074)) On behalf of [@​djc](https://github.com/djc) and [@​esheppa](https://github.com/esheppa), thanks to all contributors! </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMDUuMSIsInVwZGF0ZWRJblZlciI6IjM1LjExNS4yIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCJ9--> Co-authored-by: cabr2-bot <cabr2.help@gmail.com> Reviewed-on: https://codeberg.org/Calciumdibromid/CaBr2/pulls/1909 Reviewed-by: crapStone <crapstone@noreply.codeberg.org> Co-authored-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org> Co-committed-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org>
This takes care of the problematic string slicing found in #1010 replay 4.
I believe all string slicing on arbitrary boundaries in this module now happen on
u8
slices.