I benchmarked this again. The runtime of an unlimited explode() can be
quite high. This is not really a DoS attack vector as it would require to
post megabytes worth of input to the code, which will hit many other
limits before. I still consider it good practice to use unlimited explode()
only when it is actually allowed to return an unlimited amount of elements.
Change-Id: I30f8ca5dba7b317bb4a046b9740fd736b4eea291
) {
if ( $config->get( 'StatsdServer' ) && $stats->hasData() ) {
try {
- $statsdServer = explode( ':', $config->get( 'StatsdServer' ) );
+ $statsdServer = explode( ':', $config->get( 'StatsdServer' ), 2 );
$statsdHost = $statsdServer[0];
$statsdPort = $statsdServer[1] ?? 8125;
$statsdSender = new SocketSender( $statsdHost, $statsdPort );
$version = substr( $version, 0, $dashPosition );
}
- $version = implode( '.', array_pad( explode( '.', $version ), 4, '0' ) );
+ $version = implode( '.', array_pad( explode( '.', $version, 4 ), 4, '0' ) );
if ( $dashPosition !== false ) {
$version .= $suffix;
// Extension::OATHAuth.
// Unseal and check
- $pieces = explode( '.', $encrypted );
+ $pieces = explode( '.', $encrypted, 4 );
if ( count( $pieces ) !== 3 ) {
$ex = new \Exception( 'Invalid sealed-secret format' );
$this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );