Skip to content
Permalink
Browse files Browse the repository at this point in the history
A better fix to validate a passed-in date.
  • Loading branch information
anuko committed Oct 12, 2021
1 parent 5599067 commit d3f60bd
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 5 deletions.
20 changes: 17 additions & 3 deletions WEB-INF/lib/common.lib.php
Expand Up @@ -226,15 +226,29 @@ function ttValidDate($val)
if (strlen($val) == 0)
return false;

// This should accept a string in format 'YYYY-MM-DD', 'MM/DD/YYYY', 'DD-MM-YYYY', 'DD.MM.YYYY', or 'DD.MM.YYYY whatever'.
// This should validate a string in format 'YYYY-MM-DD', 'MM/DD/YYYY', 'DD-MM-YYYY', 'DD.MM.YYYY', or 'DD.MM.YYYY whatever'.
if (!preg_match('/^\d\d\d\d-\d\d-\d\d$/', $val) &&
!preg_match('/^\d\d\/\d\d\/\d\d\d\d$/', $val) &&
!preg_match('/^\d\d\-\d\d\-\d\d\d\d$/', $val) &&
!preg_match('/^\d\d\.\d\d\.\d\d\d\d$/', $val) &&
!preg_match('/^\d\d\.\d\d\.\d\d\d\d .+$/', $val))
return false;

return true;

return true;
}

// ttValidDbDateFormatDate is used to check user input to validate a date in DB_DATEFORMAT.
function ttValidDbDateFormatDate($val)
{
$val = trim($val);
if (strlen($val) == 0)
return false;

// This should validate a string in format 'YYYY-MM-DD'.
if (!preg_match('/^\d\d\d\d-\d\d-\d\d$/', $val))
return false;

return true;
}

// ttValidInteger is used to check user input to validate an integer.
Expand Down
2 changes: 1 addition & 1 deletion initialize.php
Expand Up @@ -12,7 +12,7 @@
// Disable displaying errors on screen.
ini_set('display_errors', 'Off');

define("APP_VERSION", "1.19.30.5599");
define("APP_VERSION", "1.19.30.5600");
define("APP_DIR", dirname(__FILE__));
define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");
Expand Down
2 changes: 1 addition & 1 deletion time.php
Expand Up @@ -34,7 +34,7 @@
}
// If we are passed in a date, make sure it is in correct format.
$date = $request->getParameter('date');
if ($date && !ttValidDate($date)) {
if ($date && !ttValidDbDateFormatDate($date)) {
header('Location: access_denied.php');
exit();
}
Expand Down

0 comments on commit d3f60bd

Please sign in to comment.