+ "details": "### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.\n\nAlternatively, avoiding the format altogether would also ensure that the vulnerability is not encountered. To do this, add\n\n```toml\ndisallowed-types = [\"time::format_description::well_known::Rfc2822\"]\n```\n\nto your `clippy.toml` file. This will trigger the `clippy::disallowed_types` lint, which is warn-by-default and can be explicitly denied.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments