From: Thiemo Kreuz <thiemo.kreuz@wikimedia.de>
Date: Tue, 26 Mar 2019 10:50:17 +0000 (+0100)
Subject: Add some more missing limit parameters to explode() calls
X-Git-Tag: 1.34.0-rc.0~2151
X-Git-Url: http://git.cyclocoop.org/?a=commitdiff_plain;h=31aeedb98a9f6afcbef2262abdda39cda9ea1090;p=lhc%2Fweb%2Fwiklou.git

Add some more missing limit parameters to explode() calls

I benchmarked this again. The runtime of an unlimited explode() can be
quite high. This is not really a DoS attack vector as it would require to
post megabytes worth of input to the code, which will hit many other
limits before. I still consider it good practice to use unlimited explode()
only when it is actually allowed to return an unlimited amount of elements.

Change-Id: I30f8ca5dba7b317bb4a046b9740fd736b4eea291
---

diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php
index 24aca2ea7b..990ed4e358 100644
--- a/includes/MediaWiki.php
+++ b/includes/MediaWiki.php
@@ -935,7 +935,7 @@ class MediaWiki {
 	) {
 		if ( $config->get( 'StatsdServer' ) && $stats->hasData() ) {
 			try {
-				$statsdServer = explode( ':', $config->get( 'StatsdServer' ) );
+				$statsdServer = explode( ':', $config->get( 'StatsdServer' ), 2 );
 				$statsdHost = $statsdServer[0];
 				$statsdPort = $statsdServer[1] ?? 8125;
 				$statsdSender = new SocketSender( $statsdHost, $statsdPort );
diff --git a/includes/composer/ComposerVersionNormalizer.php b/includes/composer/ComposerVersionNormalizer.php
index 52bc0cd121..5071fdc808 100644
--- a/includes/composer/ComposerVersionNormalizer.php
+++ b/includes/composer/ComposerVersionNormalizer.php
@@ -55,7 +55,7 @@ class ComposerVersionNormalizer {
 			$version = substr( $version, 0, $dashPosition );
 		}
 
-		$version = implode( '.', array_pad( explode( '.', $version ), 4, '0' ) );
+		$version = implode( '.', array_pad( explode( '.', $version, 4 ), 4, '0' ) );
 
 		if ( $dashPosition !== false ) {
 			$version .= $suffix;
diff --git a/includes/session/Session.php b/includes/session/Session.php
index 3dc8299be9..328958cf1b 100644
--- a/includes/session/Session.php
+++ b/includes/session/Session.php
@@ -537,7 +537,7 @@ final class Session implements \Countable, \Iterator, \ArrayAccess {
 		// Extension::OATHAuth.
 
 		// Unseal and check
-		$pieces = explode( '.', $encrypted );
+		$pieces = explode( '.', $encrypted, 4 );
 		if ( count( $pieces ) !== 3 ) {
 			$ex = new \Exception( 'Invalid sealed-secret format' );
 			$this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );