On 2025-10-26 15:07, Jeff Epler wrote:
It is possible to specify a date format string that will produce truly
unreasonable amounts of output:
Whatever limit 'date' would impose, there'd be someone wanting to go
over that limit. We won't impose an arbitrary limit like 255 for that
reason. This is specified by the GNU Coding Standards[1].
PS. It's not a denial of service bug. One should not let an adversary
specify an arbitrary 'date' format. Similarly, Python does not have a
denial of service bug merely because a naive developer could let an
adversary specify an arbitrary Python program.
[1]: https://www.gnu.org/prep/standards/html_node/Semantics.html
