dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a1f90c1)
Add some more missing limit parameters to explode() calls
authorThiemo Kreuz <thiemo.kreuz@wikimedia.de>
Tue, 26 Mar 2019 10:50:17 +0000 (11:50 +0100)
committerUmherirrender <umherirrender_de.wp@web.de>
Fri, 5 Apr 2019 14:34:39 +0000 (14:34 +0000)
I benchmarked this again. The runtime of an unlimited explode() can be
quite high. This is not really a DoS attack vector as it would require to
post megabytes worth of input to the code, which will hit many other
limits before. I still consider it good practice to use unlimited explode()
only when it is actually allowed to return an unlimited amount of elements.

Change-Id: I30f8ca5dba7b317bb4a046b9740fd736b4eea291

includes/MediaWiki.php patch | blob | history
includes/composer/ComposerVersionNormalizer.php patch | blob | history
includes/session/Session.php patch | blob | history

diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php
index 24aca2e..990ed4e 100644 (file)
--- a/includes/MediaWiki.php
+++ b/includes/MediaWiki.php
@@ -935,7 +935,7 @@ class MediaWiki {
        ) {
                if ( $config->get( 'StatsdServer' ) && $stats->hasData() ) {
                        try {
-                               $statsdServer = explode( ':', $config->get( 'StatsdServer' ) );
+                               $statsdServer = explode( ':', $config->get( 'StatsdServer' ), 2 );
                                $statsdHost = $statsdServer[0];
                                $statsdPort = $statsdServer[1] ?? 8125;
                                $statsdSender = new SocketSender( $statsdHost, $statsdPort );
diff --git a/includes/composer/ComposerVersionNormalizer.php b/includes/composer/ComposerVersionNormalizer.php
index 52bc0cd..5071fdc 100644 (file)
--- a/includes/composer/ComposerVersionNormalizer.php
+++ b/includes/composer/ComposerVersionNormalizer.php
@@ -55,7 +55,7 @@ class ComposerVersionNormalizer {
                        $version = substr( $version, 0, $dashPosition );
                }
 
-               $version = implode( '.', array_pad( explode( '.', $version ), 4, '0' ) );
+               $version = implode( '.', array_pad( explode( '.', $version, 4 ), 4, '0' ) );
 
                if ( $dashPosition !== false ) {
                        $version .= $suffix;
diff --git a/includes/session/Session.php b/includes/session/Session.php
index 3dc8299..328958c 100644 (file)
--- a/includes/session/Session.php
+++ b/includes/session/Session.php
@@ -537,7 +537,7 @@ final class Session implements \Countable, \Iterator, \ArrayAccess {
                // Extension::OATHAuth.
 
                // Unseal and check
-               $pieces = explode( '.', $encrypted );
+               $pieces = explode( '.', $encrypted, 4 );
                if ( count( $pieces ) !== 3 ) {
                        $ex = new \Exception( 'Invalid sealed-secret format' );
                        $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
Wiklou, le Wiki du Wiklou