ZF-5437: isDate potentially unsafe

Issue Type: Performance Improvement Created: 2009-01-09T07:29:16.000+0000 Last Updated: 2009-02-06T09:42:56.000+0000 Status: Resolved Fix version(s): - 1.8.0 (30/Apr/09)

Reporter: Jan Gorman (polygraf) Assignee: Thomas Weidner (thomas) Tags: - Zend_Date

Related issues: Attachments:


The use of Date::isDate() can potentially lead to a DOS attack on a site where dates are validated using Zend_Validate_Date, consider the following example:

$formElement->addValidator( new Zend_Validate_Date( 'DD.MM.YYYY', new Zend_Locale( 'de_DE' ) );

User Input such as 12.12.123123123 (basically anything really far in the future) will send CPU usage to 100%

Maybe the function should have some kind of sensible bounds built in or at least the documentation should make users aware of this.


Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-01-09T15:47:49.000+0000

Could be just me, but doesn't this go for all resource-intensive 'scripts' (sorry Thomas)? If more resources than available are requested on purpose, a server is considered under attack. I can't see how this specifically relates to Zend_Date (or the Zend Framework in general).

Posted by Thomas Weidner (thomas) on 2009-02-06T09:42:56.000+0000

Fixed with r13997

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.