tweak config defaults

for now this is configured to warn only by default, until we get the parameters for it dialled in

.github/workflows/build-docker-image.yml

@@ -53,7 +53,7 @@ jobs:
         run: echo NAME=$(echo "${GITHUB_REPOSITORY,,}") >> $GITHUB_OUTPUT
 
       - name: Build image for tag
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -66,7 +66,7 @@ jobs:
 
       - name: Build image for major tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -79,7 +79,7 @@ jobs:
 
       - name: Build image for minor tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp
@@ -92,7 +92,7 @@ jobs:
 
       - name: Build image for latest tag
         if: steps.channel.outputs.CHANNEL == 'stable'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           push: true
           context: ./pocketmine-mp

.github/workflows/draft-release.yml

@@ -165,7 +165,7 @@ jobs:
             ${{ github.workspace }}/core-permissions.rst
 
       - name: Create draft release
-        uses: ncipollo/release-action@v1.15.0
+        uses: ncipollo/release-action@v1.16.0
         id: create-draft
         with:
           artifacts: ${{ github.workspace }}/PocketMine-MP.phar,${{ github.workspace }}/start.*,${{ github.workspace }}/build_info.json,${{ github.workspace }}/core-permissions.rst
@@ -182,6 +182,8 @@ jobs:
 
             :information_source: Download the recommended PHP binary [here](${{ steps.php-binary-url.outputs.PHP_BINARY_URL }}).
 
+            :warning: Found a bug? Report it on our [issue tracker](${{ github.server_url }}/${{ github.repository }}/issues). **We can't fix bugs if you don't report them.**
+
       - name: Post draft release URL on PR
         if: github.event_name == 'pull_request_target'
         uses: thollander/actions-comment-pull-request@v3

README.md

@@ -65,6 +65,8 @@ PocketMine-MP accepts community contributions! The following resources will be u
  * [Building and running PocketMine-MP from source](BUILDING.md)
  * [Contributing Guidelines](CONTRIBUTING.md)
 
+New here? Check out [issues with the "Easy task" label](https://github.com/pmmp/PocketMine-MP/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22Easy%20task%22) for things you could work to familiarise yourself with the codebase.
+
 ## Donate
 PocketMine-MP is free, but it requires a lot of time and effort from unpaid volunteers to develop. Donations enable us to keep delivering support for new versions and adding features your players love.
 

build/dump-version-info.php

@@ -36,7 +36,7 @@ require dirname(__DIR__) . '/vendor/autoload.php';
  */
 $options = [
 	"base_version" => VersionInfo::BASE_VERSION,
-	"major_version" => fn() => explode(".", VersionInfo::BASE_VERSION)[0],
+	"major_version" => fn() => explode(".", VersionInfo::BASE_VERSION, limit: 2)[0],
 	"mcpe_version" => ProtocolInfo::MINECRAFT_VERSION_NETWORK,
 	"is_dev" => VersionInfo::IS_DEVELOPMENT_BUILD,
 	"changelog_file_name" => function() : string{

changelogs/5.25.md

@@ -44,3 +44,9 @@ Released 26th February 2025.
 - Fixed confusing exception message when a block-breaking tool has an efficiency value of zero.
 - Fixed incorrect facing of doors since 1.21.60 (resulted in mismatched AABBs between client & server, rendering glitches etc.)
 - Resource pack UUIDs are now validated on load. Previously, invalid UUIDs would be accepted, and potentially cause a server crash on player join.
+
+# 5.25.2
+Released 4th March 2025.
+
+## Fixes
+- Added limits to various `explode()` calls.

composer.json

@@ -37,7 +37,7 @@
       "pocketmine/bedrock-data": "~4.0.0+bedrock-1.21.60",
       "pocketmine/bedrock-item-upgrade-schema": "~1.14.0+bedrock-1.21.50",
       "pocketmine/bedrock-protocol": "~36.0.0+bedrock-1.21.60",
-      "pocketmine/binaryutils": "^0.2.1",
+      "pocketmine/binaryutils": "dev-experimental/read-ops-accounting as 0.2.6",
       "pocketmine/callback-validator": "^1.0.2",
       "pocketmine/color": "^0.3.0",
       "pocketmine/errorhandler": "^0.7.0",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "bef9decc40d9f5bd82e1de2d151bd99f",
+    "content-hash": "415cb668882a32039066467bb308421f",
     "packages": [
         {
             "name": "adhocore/json-comment",
@@ -67,16 +67,16 @@
         },
         {
             "name": "brick/math",
-            "version": "0.12.1",
+            "version": "0.12.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/brick/math.git",
-                "reference": "f510c0a40911935b77b86859eb5223d58d660df1"
+                "reference": "901eddb1e45a8e0f689302e40af871c181ecbe40"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/brick/math/zipball/f510c0a40911935b77b86859eb5223d58d660df1",
-                "reference": "f510c0a40911935b77b86859eb5223d58d660df1",
+                "url": "https://api.github.com/repos/brick/math/zipball/901eddb1e45a8e0f689302e40af871c181ecbe40",
+                "reference": "901eddb1e45a8e0f689302e40af871c181ecbe40",
                 "shasum": ""
             },
             "require": {
@@ -85,7 +85,7 @@
             "require-dev": {
                 "php-coveralls/php-coveralls": "^2.2",
                 "phpunit/phpunit": "^10.1",
-                "vimeo/psalm": "5.16.0"
+                "vimeo/psalm": "6.8.8"
             },
             "type": "library",
             "autoload": {
@@ -115,7 +115,7 @@
             ],
             "support": {
                 "issues": "https://github.com/brick/math/issues",
-                "source": "https://github.com/brick/math/tree/0.12.1"
+                "source": "https://github.com/brick/math/tree/0.12.2"
             },
             "funding": [
                 {
@@ -123,7 +123,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2023-11-29T23:19:16+00:00"
+            "time": "2025-02-26T10:21:45+00:00"
         },
         {
             "name": "netresearch/jsonmapper",
@@ -302,16 +302,16 @@
         },
         {
             "name": "pocketmine/binaryutils",
-            "version": "0.2.6",
+            "version": "dev-experimental/read-ops-accounting",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pmmp/BinaryUtils.git",
-                "reference": "ccfc1899b859d45814ea3592e20ebec4cb731c84"
+                "reference": "8cfa34c9d5aae11886a4142c172cff05f1e87ee2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pmmp/BinaryUtils/zipball/ccfc1899b859d45814ea3592e20ebec4cb731c84",
-                "reference": "ccfc1899b859d45814ea3592e20ebec4cb731c84",
+                "url": "https://api.github.com/repos/pmmp/BinaryUtils/zipball/8cfa34c9d5aae11886a4142c172cff05f1e87ee2",
+                "reference": "8cfa34c9d5aae11886a4142c172cff05f1e87ee2",
                 "shasum": ""
             },
             "require": {
@@ -320,9 +320,9 @@
             },
             "require-dev": {
                 "phpstan/extension-installer": "^1.0",
-                "phpstan/phpstan": "~1.10.3",
-                "phpstan/phpstan-phpunit": "^1.0",
-                "phpstan/phpstan-strict-rules": "^1.0.0",
+                "phpstan/phpstan": "2.1.0",
+                "phpstan/phpstan-phpunit": "^2.0",
+                "phpstan/phpstan-strict-rules": "^2.0.0",
                 "phpunit/phpunit": "^9.5 || ^10.0 || ^11.0"
             },
             "type": "library",
@@ -338,9 +338,9 @@
             "description": "Classes and methods for conveniently handling binary data",
             "support": {
                 "issues": "https://github.com/pmmp/BinaryUtils/issues",
-                "source": "https://github.com/pmmp/BinaryUtils/tree/0.2.6"
+                "source": "https://github.com/pmmp/BinaryUtils/tree/experimental/read-ops-accounting"
             },
-            "time": "2024-03-04T15:04:17+00:00"
+            "time": "2025-03-11T11:50:46+00:00"
         },
         {
             "name": "pocketmine/callback-validator",
@@ -2930,9 +2930,18 @@
             "time": "2024-03-03T12:36:25+00:00"
         }
     ],
-    "aliases": [],
+    "aliases": [
+        {
+            "package": "pocketmine/binaryutils",
+            "version": "dev-experimental/read-ops-accounting",
+            "alias": "0.2.6",
+            "alias_normalized": "0.2.6.0"
+        }
+    ],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {
+        "pocketmine/binaryutils": 20
+    },
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {
@@ -2967,5 +2976,5 @@
     "platform-overrides": {
         "php": "8.1.0"
     },
-    "plugin-api-version": "2.3.0"
+    "plugin-api-version": "2.6.0"
 }

phpstan.neon.dist

@@ -13,6 +13,7 @@ rules:
 	- pocketmine\phpstan\rules\DeprecatedLegacyEnumAccessRule
 	- pocketmine\phpstan\rules\DisallowEnumComparisonRule
 	- pocketmine\phpstan\rules\DisallowForeachByReferenceRule
+	- pocketmine\phpstan\rules\ExplodeLimitRule
 	- pocketmine\phpstan\rules\UnsafeForeachArrayOfStringRule
 #	- pocketmine\phpstan\rules\ThreadedSupportedTypesRule
 

resources/pocketmine.yml

@@ -83,6 +83,29 @@ network:
   #DO NOT DISABLE THIS unless you understand the risks involved.
   enable-encryption: true
 
+  #EXPERIMENTAL! Limit packet read operations per network session.
+  #This is intended to stop exploitation of packets with arrays in them.
+  #Note that enabling this system may cause players to be unexpectedly kicked, or it may fail to stop attackers.
+  #As of March 2025, the system is still in development and subject to change.
+  packet-read-ops-limit:
+    #What to do when a session's read ops budget is depleted.
+    #Supported actions are "none", "warn" and "kick".
+    deplete-action: warn
+
+    #How many backlog ticks to budget for. 200 allows for a 10-second network lag spike, or a small number of complex
+    #packets.
+    session-budget-ticks: 200
+
+    #How much to top up each session's read operations budget per tick. Recommended to set this to about 2x the
+    #average number of read operations per tick per session.
+    #Exceeding this value won't cause any action to be taken. However, consistently exceeding it will cause the
+    #session's budget to be depleted, resulting in action being taken.
+    session-budget-per-tick: 100
+
+    #Whether to collect stats for debugging. This might impact performance.
+    #See NetworkSession::dumpDecodeCostStats() if you want to visualize the stats yourself.
+    collect-stats: false
+
 debug:
   #If > 1, it will show debug messages in the console
   level: 1

src/PocketMine.php

@@ -264,7 +264,7 @@ JIT_WARNING
 		$composerGitHash = InstalledVersions::getReference('pocketmine/pocketmine-mp');
 		if($composerGitHash !== null){
 			//we can't verify dependency versions if we were installed without using git
-			$currentGitHash = explode("-", VersionInfo::GIT_HASH())[0];
+			$currentGitHash = explode("-", VersionInfo::GIT_HASH(), 2)[0];
 			if($currentGitHash !== $composerGitHash){
 				critical_error("Composer dependencies and/or autoloader are out of sync.");
 				critical_error("- Current revision is $currentGitHash");

src/VersionInfo.php

@@ -31,8 +31,8 @@ use function str_repeat;
 
 final class VersionInfo{
 	public const NAME = "PocketMine-MP";
-	public const BASE_VERSION = "5.25.1";
-	public const IS_DEVELOPMENT_BUILD = false;
+	public const BASE_VERSION = "5.25.3";
+	public const IS_DEVELOPMENT_BUILD = true;
 	public const BUILD_CHANNEL = "stable";
 
 	/**

src/YmlServerProperties.php

@@ -90,6 +90,11 @@ final class YmlServerProperties{
 	public const NETWORK_COMPRESSION_LEVEL = 'network.compression-level';
 	public const NETWORK_ENABLE_ENCRYPTION = 'network.enable-encryption';
 	public const NETWORK_MAX_MTU_SIZE = 'network.max-mtu-size';
+	public const NETWORK_PACKET_READ_OPS_LIMIT = 'network.packet-read-ops-limit';
+	public const NETWORK_PACKET_READ_OPS_LIMIT_COLLECT_STATS = 'network.packet-read-ops-limit.collect-stats';
+	public const NETWORK_PACKET_READ_OPS_LIMIT_DEPLETE_ACTION = 'network.packet-read-ops-limit.deplete-action';
+	public const NETWORK_PACKET_READ_OPS_LIMIT_SESSION_BUDGET_PER_TICK = 'network.packet-read-ops-limit.session-budget-per-tick';
+	public const NETWORK_PACKET_READ_OPS_LIMIT_SESSION_BUDGET_TICKS = 'network.packet-read-ops-limit.session-budget-ticks';
 	public const NETWORK_UPNP_FORWARDING = 'network.upnp-forwarding';
 	public const PLAYER = 'player';
 	public const PLAYER_SAVE_PLAYER_DATA = 'player.save-player-data';

src/block/tile/Sign.php

@@ -62,9 +62,10 @@ class Sign extends Spawnable{
 
 	/**
 	 * @return string[]
+	 * @deprecated
 	 */
 	public static function fixTextBlob(string $blob) : array{
-		return array_slice(array_pad(explode("\n", $blob), 4, ""), 0, 4);
+		return array_slice(array_pad(explode("\n", $blob, limit: 5), 4, ""), 0, 4);
 	}
 
 	protected SignText $text;

src/block/utils/SignText.php

@@ -79,7 +79,7 @@ class SignText{
 	 * @throws \InvalidArgumentException if the text is not valid UTF-8
 	 */
 	public static function fromBlob(string $blob, ?Color $baseColor = null, bool $glowing = false) : SignText{
-		return new self(array_slice(array_pad(explode("\n", $blob), self::LINE_COUNT, ""), 0, self::LINE_COUNT), $baseColor, $glowing);
+		return new self(array_slice(array_pad(explode("\n", $blob, limit: self::LINE_COUNT + 1), self::LINE_COUNT, ""), 0, self::LINE_COUNT), $baseColor, $glowing);
 	}
 
 	/**

src/command/Command.php

@@ -37,6 +37,7 @@ use function array_values;
 use function explode;
 use function implode;
 use function str_replace;
+use const PHP_INT_MAX;
 
 abstract class Command{
 
@@ -113,7 +114,7 @@ abstract class Command{
 	}
 
 	public function setPermission(?string $permission) : void{
-		$this->setPermissions($permission === null ? [] : explode(";", $permission));
+		$this->setPermissions($permission === null ? [] : explode(";", $permission, limit: PHP_INT_MAX));
 	}
 
 	public function testPermission(CommandSender $target, ?string $permission = null) : bool{

src/command/defaults/HelpCommand.php

@@ -39,6 +39,7 @@ use function ksort;
 use function min;
 use function sort;
 use function strtolower;
+use const PHP_INT_MAX;
 use const SORT_FLAG_CASE;
 use const SORT_NATURAL;
 
@@ -108,7 +109,7 @@ class HelpCommand extends VanillaCommand{
 
 					$usage = $cmd->getUsage();
 					$usageString = $usage instanceof Translatable ? $lang->translate($usage) : $usage;
-					$sender->sendMessage(KnownTranslationFactory::pocketmine_command_help_specificCommand_usage(TextFormat::RESET . implode("\n" . TextFormat::RESET, explode("\n", $usageString)))
+					$sender->sendMessage(KnownTranslationFactory::pocketmine_command_help_specificCommand_usage(TextFormat::RESET . implode("\n" . TextFormat::RESET, explode("\n", $usageString, limit: PHP_INT_MAX)))
 						->prefix(TextFormat::GOLD));
 
 					$aliases = $cmd->getAliases();

src/command/defaults/ParticleCommand.php

@@ -219,7 +219,11 @@ class ParticleCommand extends VanillaCommand{
 				break;
 			case "blockdust":
 				if($data !== null){
-					$d = explode("_", $data);
+					//to preserve the old unlimited explode behaviour, allow this to split into at most 5 parts
+					//this allows the 4th argument to be processed normally if given without forcing it to also consume
+					//any unexpected parts
+					//we probably ought to error in this case, but this will do for now
+					$d = explode("_", $data, limit: 5);
 					if(count($d) >= 3){
 						return new DustParticle(new Color(
 							((int) $d[0]) & 0xff,

src/console/ConsoleCommandSender.php

@@ -62,7 +62,7 @@ class ConsoleCommandSender implements CommandSender{
 			$message = $this->getLanguage()->translate($message);
 		}
 
-		foreach(explode("\n", trim($message)) as $line){
+		foreach(explode("\n", trim($message), limit: PHP_INT_MAX) as $line){
 			Terminal::writeLine(TextFormat::GREEN . "Command output | " . TextFormat::addBase(TextFormat::WHITE, $line));
 		}
 	}

src/crafting/ShapedRecipe.php

@@ -97,6 +97,7 @@ class ShapedRecipe implements CraftingRecipe{
 
 		$this->shape = $shape;
 
+		Utils::validateArrayValueType($ingredients, function(RecipeIngredient $_) : void{});
 		foreach(Utils::stringifyKeys($ingredients) as $char => $i){
 			if(!str_contains(implode($this->shape), $char)){
 				throw new \InvalidArgumentException("Symbol '$char' does not appear in the recipe shape");
@@ -105,6 +106,7 @@ class ShapedRecipe implements CraftingRecipe{
 			$this->ingredientList[$char] = clone $i;
 		}
 
+		Utils::validateArrayValueType($results, function(Item $_) : void{});
 		$this->results = Utils::cloneObjectArray($results);
 	}
 

src/crafting/ShapelessRecipe.php

@@ -53,7 +53,9 @@ class ShapelessRecipe implements CraftingRecipe{
 		if(count($ingredients) > 9){
 			throw new \InvalidArgumentException("Shapeless recipes cannot have more than 9 ingredients");
 		}
+		Utils::validateArrayValueType($ingredients, function(RecipeIngredient $_) : void{});
 		$this->ingredients = $ingredients;
+		Utils::validateArrayValueType($results, function(Item $_) : void{});
 		$this->results = Utils::cloneObjectArray($results);
 	}
 

src/entity/Entity.php

@@ -1495,7 +1495,7 @@ abstract class Entity{
 			$this->getId(), //TODO: actor unique ID
 			$this->getId(),
 			static::getNetworkTypeId(),
-			$this->location->asVector3(),
+			$this->getOffsetPosition($this->location->asVector3()),
 			$this->getMotion(),
 			$this->location->pitch,
 			$this->location->yaw,

src/item/LegacyStringToItemParser.php

@@ -111,7 +111,8 @@ final class LegacyStringToItemParser{
 	 */
 	public function parse(string $input) : Item{
 		$key = $this->reprocess($input);
-		$b = explode(":", $key);
+		//TODO: this should be limited to 2 parts, but 3 preserves old behaviour when given a string like 351:4:1
+		$b = explode(":", $key, limit: 3);
 
 		if(!isset($b[1])){
 			$meta = 0;

src/lang/Language.php

@@ -71,7 +71,7 @@ class Language{
 
 				foreach($files as $file){
 					try{
-						$code = explode(".", $file)[0];
+						$code = explode(".", $file, limit: 2)[0];
 						$strings = self::loadLang($path, $code);
 						if(isset($strings[KnownTranslationKeys::LANGUAGE_NAME])){
 							$result[$code] = $strings[KnownTranslationKeys::LANGUAGE_NAME];

src/network/mcpe/JwtUtils.php

@@ -72,9 +72,11 @@ final class JwtUtils{
 	 * @throws JwtException
 	 */
 	public static function split(string $jwt) : array{
-		$v = explode(".", $jwt);
+		//limit of 4 allows us to detect too many parts without having to split the string up into a potentially large
+		//number of parts
+		$v = explode(".", $jwt, limit: 4);
 		if(count($v) !== 3){
-			throw new JwtException("Expected exactly 3 JWT parts, got " . count($v));
+			throw new JwtException("Expected exactly 3 JWT parts delimited by a period");
 		}
 		return [$v[0], $v[1], $v[2]]; //workaround phpstan bug
 	}

src/network/mcpe/NetworkSession.php

@@ -113,10 +113,11 @@ use pocketmine\utils\BinaryDataException;
 use pocketmine\utils\BinaryStream;
 use pocketmine\utils\ObjectSet;
 use pocketmine\utils\TextFormat;
+use pocketmine\utils\Utils;
 use pocketmine\world\format\io\GlobalItemDataHandlers;
 use pocketmine\world\Position;
 use pocketmine\world\World;
-use pocketmine\YmlServerProperties;
+use pocketmine\YmlServerProperties as Yml;
 use function array_map;
 use function base64_encode;
 use function bin2hex;
@@ -126,6 +127,9 @@ use function implode;
 use function in_array;
 use function is_string;
 use function json_encode;
+use function max;
+use function microtime;
+use function min;
 use function ord;
 use function random_bytes;
 use function str_split;
@@ -136,6 +140,7 @@ use function substr;
 use function time;
 use function ucfirst;
 use const JSON_THROW_ON_ERROR;
+use const PHP_INT_MAX;
 
 class NetworkSession{
 	private const INCOMING_PACKET_BATCH_PER_TICK = 2; //usually max 1 per tick, but transactions arrive separately
@@ -144,9 +149,17 @@ class NetworkSession{
 	private const INCOMING_GAME_PACKETS_PER_TICK = 2;
 	private const INCOMING_GAME_PACKETS_BUFFER_TICKS = 100;
 
+	private const READ_OPS_PER_TICK = 100; //subject to change
+	private const READ_OPS_BUFFER_TICKS = 200; //subject to change
+
 	private PacketRateLimiter $packetBatchLimiter;
 	private PacketRateLimiter $gamePacketLimiter;
 
+	private PacketRateLimiter $readOpsLimiter;
+	private PacketRateLimiterAction $readOpsLimiterAction;
+
+	private bool $readOpsStats;
+
 	private \PrefixedLogger $logger;
 	private ?Player $player = null;
 	private ?PlayerInfo $info = null;
@@ -194,6 +207,28 @@ class NetworkSession{
 	 */
 	private ObjectSet $disposeHooks;
 
+	/**
+	 * @var int[]
+	 * @phpstan-var array<string, int>
+	 */
+	private array $readOpsPerPacketMin = [];
+	/**
+	 * @var int[]
+	 * @phpstan-var array<string, int>
+	 */
+	private array $readOpsPerPacketMax = [];
+	/**
+	 * @var int[]
+	 * @phpstan-var array<string, int>
+	 */
+	private array $readOpsPerPacketTotal = [];
+	/**
+	 * @var int[]
+	 * @phpstan-var array<string, int>
+	 */
+	private array $receivedPacketCounts = [];
+	private int $totalReadOpsUsed = 0;
+
 	public function __construct(
 		private Server $server,
 		private NetworkSessionManager $manager,
@@ -216,6 +251,15 @@ class NetworkSession{
 		$this->packetBatchLimiter = new PacketRateLimiter("Packet Batches", self::INCOMING_PACKET_BATCH_PER_TICK, self::INCOMING_PACKET_BATCH_BUFFER_TICKS);
 		$this->gamePacketLimiter = new PacketRateLimiter("Game Packets", self::INCOMING_GAME_PACKETS_PER_TICK, self::INCOMING_GAME_PACKETS_BUFFER_TICKS);
 
+		$serverConfigGroup = $this->server->getConfigGroup();
+		$this->readOpsLimiter = new PacketRateLimiter(
+			"Packet Read Operations",
+			$serverConfigGroup->getPropertyInt(Yml::NETWORK_PACKET_READ_OPS_LIMIT_SESSION_BUDGET_PER_TICK, self::READ_OPS_PER_TICK),
+			$serverConfigGroup->getPropertyInt(Yml::NETWORK_PACKET_READ_OPS_LIMIT_SESSION_BUDGET_TICKS, self::READ_OPS_BUFFER_TICKS),
+		);
+		$this->readOpsLimiterAction = PacketRateLimiterAction::from($serverConfigGroup->getPropertyString(Yml::NETWORK_PACKET_READ_OPS_LIMIT_DEPLETE_ACTION, PacketRateLimiterAction::WARN->value));
+		$this->readOpsStats = $serverConfigGroup->getPropertyBool(Yml::NETWORK_PACKET_READ_OPS_LIMIT_COLLECT_STATS, false);
+
 		$this->setHandler(new SessionStartPacketHandler(
 			$this,
 			$this->onSessionStartSuccess(...)
@@ -450,7 +494,36 @@ class NetworkSession{
 			try{
 				$stream = PacketSerializer::decoder($buffer, 0);
 				try{
-					$packet->decode($stream);
+					if($this->readOpsLimiterAction === PacketRateLimiterAction::NONE){
+						$packet->decode($stream);
+					}else{
+						$this->readOpsLimiter->update();
+						$stream->setReadOpsLimit(
+							$this->readOpsLimiterAction === PacketRateLimiterAction::KICK ?
+								$this->readOpsLimiter->getBudget() :
+								PHP_INT_MAX //don't bail out of decoding if we're only warning
+						);
+
+						$packet->decode($stream);
+						$readOps = $stream->getReadOps();
+						//If we exceeded the budget, a PacketDecodeException has already been thrown if we're in KICK
+						//mode, so we can assume we're in WARN mode here
+						if($this->readOpsLimiter->getBudget() < $readOps){
+							$this->getLogger()->warning("Decoding " . $packet->getName() . " exceeded read ops budget! $readOps > " . $this->readOpsLimiter->getBudget());
+							$this->readOpsLimiter->reset();
+						}else{
+							$this->readOpsLimiter->decrement($readOps);
+						}
+
+						if($this->readOpsStats){
+							$this->totalReadOpsUsed += $readOps;
+							$key = $packet->getName();
+							$this->readOpsPerPacketTotal[$key] = ($this->readOpsPerPacketTotal[$key] ?? 0) + $readOps;
+							$this->readOpsPerPacketMin[$key] = min($this->readOpsPerPacketMin[$key] ?? PHP_INT_MAX, $readOps);
+							$this->readOpsPerPacketMax[$key] = max($this->readOpsPerPacketMax[$key] ?? 0, $readOps);
+							$this->receivedPacketCounts[$key] = ($this->receivedPacketCounts[$key] ?? 0) + 1;
+						}
+					}
 				}catch(PacketDecodeException $e){
 					throw PacketHandlingException::wrap($e);
 				}
@@ -483,6 +556,30 @@ class NetworkSession{
 		}
 	}
 
+	/**
+	 * @return int[]|float[]
+	 * @phpstan-return array<string, int|float|array<string, int|float>>
+	 */
+	public function dumpDecodeCostStats() : array{
+		if(!$this->readOpsStats){
+			throw new \LogicException("Not collecting stats for this session");
+		}
+		$sessionTime = microtime(true) - $this->connectTime;
+		$packetDecodeAverages = [];
+		$packetCostsPerSecondAverages = [];
+		foreach(Utils::stringifyKeys($this->readOpsPerPacketTotal) as $packet => $total){
+			$packetDecodeAverages[$packet] = $total / $this->receivedPacketCounts[$packet];
+			$packetCostsPerSecondAverages[$packet] = $total / $sessionTime;
+		}
+		return [
+			"readOpsAvgPerSecondTotal" => $this->totalReadOpsUsed / $sessionTime,
+			"readOpsAvgPerPacketPerSecond" => $packetCostsPerSecondAverages,
+			"readOpsAvgPerPacket" => $packetDecodeAverages,
+			"readOpsMinPerPacket" => $this->readOpsPerPacketMin,
+			"readOpsMaxPerPacket" => $this->readOpsPerPacketMax
+		];
+	}
+
 	public function handleAckReceipt(int $receiptId) : void{
 		if(!$this->connected){
 			return;
@@ -857,7 +954,7 @@ class NetworkSession{
 		}
 		$this->logger->debug("Xbox Live authenticated: " . ($this->authenticated ? "YES" : "NO"));
 
-		$checkXUID = $this->server->getConfigGroup()->getPropertyBool(YmlServerProperties::PLAYER_VERIFY_XUID, true);
+		$checkXUID = $this->server->getConfigGroup()->getPropertyBool(Yml::PLAYER_VERIFY_XUID, true);
 		$myXUID = $this->info instanceof XboxLivePlayerInfo ? $this->info->getXuid() : "";
 		$kickForXUIDMismatch = function(string $xuid) use ($checkXUID, $myXUID) : bool{
 			if($checkXUID && $myXUID !== $xuid){

src/network/mcpe/PacketRateLimiter.php

@@ -62,6 +62,14 @@ final class PacketRateLimiter{
 		$this->budget -= $amount;
 	}
 
+	public function getBudget() : int{
+		return $this->budget;
+	}
+
+	public function reset() : void{
+		$this->budget = $this->maxBudget;
+	}
+
 	public function update() : void{
 		$nowNs = hrtime(true);
 		$timeSinceLastUpdateNs = $nowNs - $this->lastUpdateTimeNs;

src/network/mcpe/PacketRateLimiterAction.php

@@ -0,0 +1,30 @@
+<?php
+
+/*
+ *
+ *  ____            _        _   __  __ _                  __  __ ____
+ * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \
+ * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
+ * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/
+ * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * @author PocketMine Team
+ * @link http://www.pocketmine.net/
+ *
+ *
+ */
+
+declare(strict_types=1);
+
+namespace pocketmine\network\mcpe;
+
+enum PacketRateLimiterAction : string{
+	case NONE = "none";
+	case WARN = "warn";
+	case KICK = "kick";
+}

src/permission/BanEntry.php

@@ -148,7 +148,9 @@ class BanEntry{
 			return null;
 		}
 
-		$parts = explode("|", trim($str));
+		//we expect at most 5 parts, but accept 6 in case of an extra unexpected delimiter
+		//we don't want to include unexpected data into the ban reason
+		$parts = explode("|", trim($str), limit: 6);
 		$entry = new BanEntry(trim(array_shift($parts)));
 		if(count($parts) > 0){
 			$entry->setCreated(self::parseDate(array_shift($parts)));

src/utils/Config.php

@@ -54,6 +54,7 @@ use const CASE_LOWER;
 use const JSON_BIGINT_AS_STRING;
 use const JSON_PRETTY_PRINT;
 use const JSON_THROW_ON_ERROR;
+use const PHP_INT_MAX;
 use const YAML_UTF8_ENCODING;
 
 /**
@@ -339,7 +340,7 @@ class Config{
 	}
 
 	public function setNested(string $key, mixed $value) : void{
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 		$base = array_shift($vars);
 
 		if(!isset($this->config[$base])){
@@ -366,7 +367,7 @@ class Config{
 			return $this->nestedCache[$key];
 		}
 
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 		$base = array_shift($vars);
 		if(isset($this->config[$base])){
 			$base = $this->config[$base];
@@ -390,7 +391,7 @@ class Config{
 		$this->nestedCache = [];
 		$this->changed = true;
 
-		$vars = explode(".", $key);
+		$vars = explode(".", $key, limit: PHP_INT_MAX);
 
 		$currentNode = &$this->config;
 		while(count($vars) > 0){
@@ -495,7 +496,7 @@ class Config{
 	 */
 	public static function parseList(string $content) : array{
 		$result = [];
-		foreach(explode("\n", trim(str_replace("\r\n", "\n", $content))) as $v){
+		foreach(explode("\n", trim(str_replace("\r\n", "\n", $content)), limit: PHP_INT_MAX) as $v){
 			$v = trim($v);
 			if($v === ""){
 				continue;

src/utils/Internet.php

@@ -60,6 +60,7 @@ use const CURLOPT_RETURNTRANSFER;
 use const CURLOPT_SSL_VERIFYHOST;
 use const CURLOPT_SSL_VERIFYPEER;
 use const CURLOPT_TIMEOUT_MS;
+use const PHP_INT_MAX;
 use const SOCK_DGRAM;
 use const SOL_UDP;
 
@@ -227,9 +228,10 @@ class Internet{
 			$rawHeaders = substr($raw, 0, $headerSize);
 			$body = substr($raw, $headerSize);
 			$headers = [];
-			foreach(explode("\r\n\r\n", $rawHeaders) as $rawHeaderGroup){
+			//TODO: explore if we can set these limits lower
+			foreach(explode("\r\n\r\n", $rawHeaders, limit: PHP_INT_MAX) as $rawHeaderGroup){
 				$headerGroup = [];
-				foreach(explode("\r\n", $rawHeaderGroup) as $line){
+				foreach(explode("\r\n", $rawHeaderGroup, limit: PHP_INT_MAX) as $line){
 					$nameValue = explode(":", $line, 2);
 					if(isset($nameValue[1])){
 						$headerGroup[trim(strtolower($nameValue[0]))] = trim($nameValue[1]);

src/utils/Utils.php

@@ -369,7 +369,7 @@ final class Utils{
 		debug_zval_dump($value);
 		$contents = ob_get_contents();
 		if($contents === false) throw new AssumptionFailedError("ob_get_contents() should never return false here");
-		$ret = explode("\n", $contents);
+		$ret = explode("\n", $contents, limit: 2);
 		ob_end_clean();
 
 		if(preg_match('/^.* refcount\\(([0-9]+)\\)\\{$/', trim($ret[0]), $m) > 0){

src/world/generator/FlatGeneratorOptions.php

@@ -26,10 +26,12 @@ namespace pocketmine\world\generator;
 use pocketmine\data\bedrock\BiomeIds;
 use pocketmine\item\LegacyStringToItemParser;
 use pocketmine\item\LegacyStringToItemParserException;
+use pocketmine\world\World;
 use function array_map;
 use function explode;
 use function preg_match;
 use function preg_match_all;
+use const PHP_INT_MAX;
 
 /**
  * @internal
@@ -70,7 +72,7 @@ final class FlatGeneratorOptions{
 	 */
 	public static function parseLayers(string $layers) : array{
 		$result = [];
-		$split = array_map('\trim', explode(',', $layers));
+		$split = array_map('\trim', explode(',', $layers, limit: World::Y_MAX - World::Y_MIN));
 		$y = 0;
 		$itemParser = LegacyStringToItemParser::getInstance();
 		foreach($split as $line){
@@ -96,7 +98,7 @@ final class FlatGeneratorOptions{
 	 * @throws InvalidGeneratorOptionsException
 	 */
 	public static function parsePreset(string $presetString) : self{
-		$preset = explode(";", $presetString);
+		$preset = explode(";", $presetString, limit: 4);
 		$blocks = $preset[1] ?? "";
 		$biomeId = (int) ($preset[2] ?? BiomeIds::PLAINS);
 		$optionsString = $preset[3] ?? "";
@@ -109,9 +111,10 @@ final class FlatGeneratorOptions{
 			$params = true;
 			if($matches[3][$i] !== ""){
 				$params = [];
-				$p = explode(" ", $matches[3][$i]);
+				$p = explode(" ", $matches[3][$i], limit: PHP_INT_MAX);
 				foreach($p as $k){
-					$k = explode("=", $k);
+					//TODO: this should be limited to 2 parts, but 3 preserves old behaviour when given e.g. treecount=20=1
+					$k = explode("=", $k, limit: 3);
 					if(isset($k[1])){
 						$params[$k[0]] = $k[1];
 					}

tests/phpstan/rules/ExplodeLimitRule.php

@@ -0,0 +1,92 @@
+<?php
+
+/*
+ *
+ *  ____            _        _   __  __ _                  __  __ ____
+ * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \
+ * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
+ * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/
+ * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * @author PocketMine Team
+ * @link http://www.pocketmine.net/
+ *
+ *
+ */
+
+declare(strict_types=1);
+
+namespace pocketmine\phpstan\rules;
+
+use PhpParser\Node;
+use PhpParser\Node\Expr\FuncCall;
+use PhpParser\Node\Name;
+use PHPStan\Analyser\ArgumentsNormalizer;
+use PHPStan\Analyser\Scope;
+use PHPStan\Reflection\ParametersAcceptorSelector;
+use PHPStan\Reflection\ReflectionProvider;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+use function count;
+
+/**
+ * @phpstan-implements Rule<FuncCall>
+ */
+final class ExplodeLimitRule implements Rule{
+	private ReflectionProvider $reflectionProvider;
+
+	public function __construct(
+		ReflectionProvider $reflectionProvider
+	){
+		$this->reflectionProvider = $reflectionProvider;
+	}
+
+	public function getNodeType() : string{
+		return FuncCall::class;
+	}
+
+	public function processNode(Node $node, Scope $scope) : array{
+		if(!$node->name instanceof Name){
+			return [];
+		}
+
+		if(!$this->reflectionProvider->hasFunction($node->name, $scope)){
+			return [];
+		}
+
+		$functionReflection = $this->reflectionProvider->getFunction($node->name, $scope);
+
+		if($functionReflection->getName() !== 'explode'){
+			return [];
+		}
+
+		$parametersAcceptor = ParametersAcceptorSelector::selectFromArgs(
+			$scope,
+			$node->getArgs(),
+			$functionReflection->getVariants(),
+			$functionReflection->getNamedArgumentsVariants(),
+		);
+
+		$normalizedFuncCall = ArgumentsNormalizer::reorderFuncArguments($parametersAcceptor, $node);
+
+		if($normalizedFuncCall === null){
+			return [];
+		}
+
+		$count = count($normalizedFuncCall->getArgs());
+		if($count !== 3){
+			return [
+				RuleErrorBuilder::message('The $limit parameter of explode() must be set to prevent malicious client data wasting resources.')
+					->identifier("pocketmine.explode.limit")
+					->build()
+			];
+		}
+
+		return [];
+	}
+}

tools/generate-bedrock-data-from-packets.php

@@ -624,7 +624,7 @@ function main(array $argv) : int{
 	}
 
 	foreach($packets as $lineNum => $line){
-		$parts = explode(':', $line);
+		$parts = explode(':', $line, limit: 3);
 		if(count($parts) !== 2){
 			fwrite(STDERR, 'Wrong packet format at line ' . ($lineNum + 1) . ', expected read:base64 or write:base64');
 			return 1;