ZF-5437: isDate potentially unsafe


The use of {{Date::isDate()}} can potentially lead to a DOS attack on a site where dates are validated using {{Zend_Validate_Date}}, consider the following example:

{{$formElement->addValidator( new Zend_Validate_Date( 'DD.MM.YYYY', new Zend_Locale( 'de_DE' ) );}}

User Input such as {{12.12.123123123}} (basically anything really far in the future) will send CPU usage to 100%

Maybe the function should have some kind of sensible bounds built in or at least the documentation should make users aware of this.


Could be just me, but doesn't this go for all resource-intensive 'scripts' (sorry Thomas)? If more resources than available are requested on purpose, a server is considered under attack. I can't see how this specifically relates to Zend_Date (or the Zend Framework in general).

Fixed with r13997