Patch 2

.github/workflows/build-docker-image.yml

@@ -53,7 +53,7 @@ jobs:
         run: echo NAME=$(echo "${GITHUB_REPOSITORY,,}") >> $GITHUB_OUTPUT
 
       - name: Build image for tag
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -66,7 +66,7 @@ jobs:
 
       - name: Build image for major tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -79,7 +79,7 @@ jobs:
 
       - name: Build image for minor tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -92,7 +92,7 @@ jobs:
 
       - name: Build image for latest tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp

.github/workflows/draft-release.yml

@@ -165,7 +165,7 @@ jobs:
             ${{ github.workspace }}/core-permissions.rst
 
       - name: Create draft release
-        uses: ncipollo/release-action@v1.15.0
+        uses: ncipollo/release-action@v1.16.0
         id: create-draft
         with:
           artifacts: ${{ github.workspace }}/PocketMine-MP.phar,${{ github.workspace }}/start.*,${{ github.workspace }}/build_info.json,${{ github.workspace }}/core-permissions.rst
@@ -182,6 +182,8 @@ jobs:
 
             :information_source: Download the recommended PHP binary [here](${{ steps.php-binary-url.outputs.PHP_BINARY_URL }}).
 
+            :warning: Found a bug? Report it on our [issue tracker](${{ github.server_url }}/${{ github.repository }}/issues). **We can't fix bugs if you don't report them.**
+
       - name: Post draft release URL on PR
         if: github.event_name == 'pull_request_target'
         uses: thollander/actions-comment-pull-request@v3

build/dump-version-info.php

@@ -36,7 +36,7 @@
  */
 $options = [
 	"base_version" => VersionInfo::BASE_VERSION,
-	"major_version" => fn() => explode(".", VersionInfo::BASE_VERSION)[0],
+	"major_version" => fn() => explode(".", VersionInfo::BASE_VERSION, limit: 2)[0],
 	"mcpe_version" => ProtocolInfo::MINECRAFT_VERSION_NETWORK,
 	"is_dev" => VersionInfo::IS_DEVELOPMENT_BUILD,
 	"changelog_file_name" => function() : string{

changelogs/5.25.md

@@ -53,3 +53,17 @@ It also allows creating new collapsible groups of items, and modifying or removi
 - `BedrockDataFiles` now includes constants for folders at the top level of `BedrockData` as well as files.
 - The structure of creative data in `BedrockData` was changed to accommodate item category and grouping information. `creativeitems.json` has been replaced by `creative/*.json`, which contain information about item grouping and also segregates item lists per category.
 - New information was added to `required_item_list.json` in `BedrockData`, as the server is now required to send item component NBT data in some cases.
+
+# 5.25.1
+Released 26th February 2025.
+
+## Fixes
+- Fixed confusing exception message when a block-breaking tool has an efficiency value of zero.
+- Fixed incorrect facing of doors since 1.21.60 (resulted in mismatched AABBs between client & server, rendering glitches etc.)
+- Resource pack UUIDs are now validated on load. Previously, invalid UUIDs would be accepted, and potentially cause a server crash on player join.
+
+# 5.25.2
+Released 4th March 2025.
+
+## Fixes
+- Added limits to various `explode()` calls.

phpstan.neon.dist

@@ -13,6 +13,7 @@ rules:
 	- pocketmine\phpstan\rules\DeprecatedLegacyEnumAccessRule
 	- pocketmine\phpstan\rules\DisallowEnumComparisonRule
 	- pocketmine\phpstan\rules\DisallowForeachByReferenceRule
+	- pocketmine\phpstan\rules\ExplodeLimitRule
 	- pocketmine\phpstan\rules\UnsafeForeachArrayOfStringRule
 #	- pocketmine\phpstan\rules\ThreadedSupportedTypesRule
 

src/PocketMine.php

@@ -264,7 +264,7 @@ function server(){
 		$composerGitHash = InstalledVersions::getReference('pocketmine/pocketmine-mp');
 		if($composerGitHash !== null){
 			//we can't verify dependency versions if we were installed without using git
-			$currentGitHash = explode("-", VersionInfo::GIT_HASH())[0];
+			$currentGitHash = explode("-", VersionInfo::GIT_HASH(), 2)[0];
 			if($currentGitHash !== $composerGitHash){
 				critical_error("Composer dependencies and/or autoloader are out of sync.");
 				critical_error("- Current revision is $currentGitHash");

src/VersionInfo.php

@@ -32,7 +32,7 @@
 final class VersionInfo{
 	public const NAME = "STCraft-MP";
 	public const BASE_VERSION = "5.25.1";
-	public const IS_DEVELOPMENT_BUILD = true;
+	public const IS_DEVELOPMENT_BUILD = false;
 	public const BUILD_CHANNEL = "stable";
 
 	/**

src/block/tile/Sign.php

@@ -62,9 +62,10 @@ class Sign extends Spawnable{
 
 	/**
 	 * @return string[]
+	 * @deprecated
 	 */
 	public static function fixTextBlob(string $blob) : array{
-		return array_slice(array_pad(explode("\n", $blob), 4, ""), 0, 4);
+		return array_slice(array_pad(explode("\n", $blob, limit: 5), 4, ""), 0, 4);
 	}
 
 	protected SignText $text;

src/block/utils/SignText.php

@@ -79,7 +79,7 @@ public function __construct(?array $lines = null, ?Color $baseColor = null, bool
 	 * @throws \InvalidArgumentException if the text is not valid UTF-8
 	 */
 	public static function fromBlob(string $blob, ?Color $baseColor = null, bool $glowing = false) : SignText{
-		return new self(array_slice(array_pad(explode("\n", $blob), self::LINE_COUNT, ""), 0, self::LINE_COUNT), $baseColor, $glowing);
+		return new self(array_slice(array_pad(explode("\n", $blob, limit: self::LINE_COUNT + 1), self::LINE_COUNT, ""), 0, self::LINE_COUNT), $baseColor, $glowing);
 	}
 
 	/**

src/command/Command.php

@@ -37,6 +37,7 @@
 use function explode;
 use function implode;
 use function str_replace;
+use const PHP_INT_MAX;
 
 abstract class Command{
 
@@ -113,7 +114,7 @@ public function setPermissions(array $permissions) : void{
 	}
 
 	public function setPermission(?string $permission) : void{
-		$this->setPermissions($permission === null ? [] : explode(";", $permission));
+		$this->setPermissions($permission === null ? [] : explode(";", $permission, limit: PHP_INT_MAX));
 	}
 
 	public function testPermission(CommandSender $target, ?string $permission = null) : bool{

src/command/defaults/HelpCommand.php

@@ -39,6 +39,7 @@
 use function min;
 use function sort;
 use function strtolower;
+use const PHP_INT_MAX;
 use const SORT_FLAG_CASE;
 use const SORT_NATURAL;
 
@@ -108,7 +109,7 @@ public function execute(CommandSender $sender, string $commandLabel, array $args
 
 					$usage = $cmd->getUsage();
 					$usageString = $usage instanceof Translatable ? $lang->translate($usage) : $usage;
-					$sender->sendMessage(KnownTranslationFactory::pocketmine_command_help_specificCommand_usage(TextFormat::RESET . implode("\n" . TextFormat::RESET, explode("\n", $usageString)))
+					$sender->sendMessage(KnownTranslationFactory::pocketmine_command_help_specificCommand_usage(TextFormat::RESET . implode("\n" . TextFormat::RESET, explode("\n", $usageString, limit: PHP_INT_MAX)))
 						->prefix(TextFormat::GOLD));
 
 					$aliases = $cmd->getAliases();

src/command/defaults/ParticleCommand.php

@@ -219,7 +219,11 @@ private function getParticle(string $name, ?string $data = null) : ?Particle{
 				break;
 			case "blockdust":
 				if($data !== null){
-					$d = explode("_", $data);
+					//to preserve the old unlimited explode behaviour, allow this to split into at most 5 parts
+					//this allows the 4th argument to be processed normally if given without forcing it to also consume
+					//any unexpected parts
+					//we probably ought to error in this case, but this will do for now
+					$d = explode("_", $data, limit: 5);
 					if(count($d) >= 3){
 						return new DustParticle(new Color(
 							((int) $d[0]) & 0xff,

src/console/ConsoleCommandSender.php

@@ -62,7 +62,7 @@ public function sendMessage(Translatable|string $message) : void{
 			$message = $this->getLanguage()->translate($message);
 		}
 
-		foreach(explode("\n", trim($message)) as $line){
+		foreach(explode("\n", trim($message), limit: PHP_INT_MAX) as $line){
 			Terminal::writeLine(TextFormat::GREEN . "Command output | " . TextFormat::addBase(TextFormat::WHITE, $line));
 		}
 	}

src/item/LegacyStringToItemParser.php

@@ -111,7 +111,8 @@ public function getMappings() : array{
 	 */
 	public function parse(string $input) : Item{
 		$key = $this->reprocess($input);
-		$b = explode(":", $key);
+		//TODO: this should be limited to 2 parts, but 3 preserves old behaviour when given a string like 351:4:1
+		$b = explode(":", $key, limit: 3);
 
 		if(!isset($b[1])){
 			$meta = 0;

src/lang/Language.php

@@ -71,7 +71,7 @@ public static function getLanguageList(string $path = "") : array{
 
 				foreach($files as $file){
 					try{
-						$code = explode(".", $file)[0];
+						$code = explode(".", $file, limit: 2)[0];
 						$strings = self::loadLang($path, $code);
 						if(isset($strings[KnownTranslationKeys::LANGUAGE_NAME])){
 							$result[$code] = $strings[KnownTranslationKeys::LANGUAGE_NAME];

src/network/mcpe/JwtUtils.php

@@ -72,9 +72,11 @@ final class JwtUtils{
 	 * @throws JwtException
 	 */
 	public static function split(string $jwt) : array{
-		$v = explode(".", $jwt);
+		//limit of 4 allows us to detect too many parts without having to split the string up into a potentially large
+		//number of parts
+		$v = explode(".", $jwt, limit: 4);
 		if(count($v) !== 3){
-			throw new JwtException("Expected exactly 3 JWT parts, got " . count($v));
+			throw new JwtException("Expected exactly 3 JWT parts delimited by a period");
 		}
 		return [$v[0], $v[1], $v[2]]; //workaround phpstan bug
 	}

src/permission/BanEntry.php

@@ -148,7 +148,9 @@ public static function fromString(string $str) : ?BanEntry{
 			return null;
 		}
 
-		$parts = explode("|", trim($str));
+		//we expect at most 5 parts, but accept 6 in case of an extra unexpected delimiter
+		//we don't want to include unexpected data into the ban reason
+		$parts = explode("|", trim($str), limit: 6);
 		$entry = new BanEntry(trim(array_shift($parts)));
 		if(count($parts) > 0){
 			$entry->setCreated(self::parseDate(array_shift($parts)));

src/utils/Config.php

@@ -54,6 +54,7 @@
 use const JSON_BIGINT_AS_STRING;
 use const JSON_PRETTY_PRINT;
 use const JSON_THROW_ON_ERROR;
+use const PHP_INT_MAX;
 use const YAML_UTF8_ENCODING;
 
 /**
@@ -339,7 +340,7 @@ public function __unset($k){
 	}
 
 	public function setNested(string $key, mixed $value) : void{
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 		$base = array_shift($vars);
 
 		if(!isset($this->config[$base])){
@@ -366,7 +367,7 @@ public function getNested(string $key, mixed $default = null) : mixed{
 			return $this->nestedCache[$key];
 		}
 
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 		$base = array_shift($vars);
 		if(isset($this->config[$base])){
 			$base = $this->config[$base];
@@ -390,7 +391,7 @@ public function removeNested(string $key) : void{
 		$this->nestedCache = [];
 		$this->changed = true;
 
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 
 		$currentNode = &$this->config;
 		while(count($vars) > 0){
@@ -495,7 +496,7 @@ private function fillDefaults(array $default, array &$data) : int{
 	 */
 	public static function parseList(string $content) : array{
 		$result = [];
-		foreach(explode("\n", trim(str_replace("\r\n", "\n", $content))) as $v){
+		foreach(explode("\n", trim(str_replace("\r\n", "\n", $content)), limit: PHP_INT_MAX) as $v){
 			$v = trim($v);
 			if($v === ""){
 				continue;

src/utils/Internet.php

@@ -60,6 +60,7 @@
 use const CURLOPT_SSL_VERIFYHOST;
 use const CURLOPT_SSL_VERIFYPEER;
 use const CURLOPT_TIMEOUT_MS;
+use const PHP_INT_MAX;
 use const SOCK_DGRAM;
 use const SOL_UDP;
 
@@ -227,9 +228,10 @@ public static function simpleCurl(string $page, float $timeout = 10, array $extr
 			$rawHeaders = substr($raw, 0, $headerSize);
 			$body = substr($raw, $headerSize);
 			$headers = [];
-			foreach(explode("\r\n\r\n", $rawHeaders) as $rawHeaderGroup){
+			//TODO: explore if we can set these limits lower
+			foreach(explode("\r\n\r\n", $rawHeaders, limit: PHP_INT_MAX) as $rawHeaderGroup){
 				$headerGroup = [];
-				foreach(explode("\r\n", $rawHeaderGroup) as $line){
+				foreach(explode("\r\n", $rawHeaderGroup, limit: PHP_INT_MAX) as $line){
 					$nameValue = explode(":", $line, 2);
 					if(isset($nameValue[1])){
 						$headerGroup[trim(strtolower($nameValue[0]))] = trim($nameValue[1]);

src/utils/Utils.php

@@ -369,7 +369,7 @@ public static function getReferenceCount(object $value, bool $includeCurrent = t
 		debug_zval_dump($value);
 		$contents = ob_get_contents();
 		if($contents === false) throw new AssumptionFailedError("ob_get_contents() should never return false here");
-		$ret = explode("\n", $contents);
+		$ret = explode("\n", $contents, limit: 2);
 		ob_end_clean();
 
 		if(preg_match('/^.* refcount\\(([0-9]+)\\)\\{$/', trim($ret[0]), $m) > 0){