[mmastrac]

You missed the point.

The code purported to be vulnerable is not slow because of the length of the string. The "example exploit" is slow because the reports use slow methods to construct the string under test. When timing the affected methods, they are _not_ slow.

[minitech]

Well, you didn’t link to that example exploit, and a random sampling from their profile looked legitimate. Do you have the specific link?