ZF-5437: isDate potentially unsafe
Description
The use of {{Date::isDate()}} can potentially lead to a DOS attack on a site where dates are validated using {{Zend_Validate_Date}}, consider the following example:
{{$formElement->addValidator( new Zend_Validate_Date( 'DD.MM.YYYY', new Zend_Locale( 'de_DE' ) );}}
User Input such as {{12.12.123123123}} (basically anything really far in the future) will send CPU usage to 100%
Maybe the function should have some kind of sensible bounds built in or at least the documentation should make users aware of this.
Comments
Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-01-09T15:47:49.000+0000
Could be just me, but doesn't this go for all resource-intensive 'scripts' (sorry Thomas)? If more resources than available are requested on purpose, a server is considered under attack. I can't see how this specifically relates to Zend_Date (or the Zend Framework in general).
Posted by Thomas Weidner (thomas) on 2009-02-06T09:42:56.000+0000
Fixed with r13997