We are now validating the start and end dates before adding them to t…

…he post filter so we can make sure there's no possible SQL injection attack. git-svn-id: https://plugins.svn.wordpress.org/editorial-calendar/trunk@667412 b8457f37-d9ea-0310-8a92-e5e31aec5664
wp-plugins · Feb 13, 2013 · a9277f1 · a9277f1
1 parent 1efa425
commit a9277f1
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/edcal.php b/edcal.php
@@ -495,6 +495,18 @@ function edcal_filter_where($where = '') {
         if ($edcal_startDate == '00000000') {
             $where .= " AND post_date_gmt LIKE '0000%'";
         } else {
+            /*
+             * The start date and end date come from the client and we want to make
+             * sure there's no SQL injection attack here.  We know these values must
+             * be dates in a format like 2013-02-03.  Date parsing is complex and PHP
+             * dates allow a lot of different formats.  The simplest way to make sure
+             * this isn't a SQL injection attack is to remove the dashes and check if
+             * the result is numeric.  If it is then this can't be a SQL injection attack.
+             */
+             if (!is_numeric(str_replace("-", "", $edcal_startDate)) || !is_numeric(str_replace("-", "", $edcal_endDate))) {
+                die("The specified start date and end date for the posts query must be numeric.");
+             }
+
             $where .= " AND post_date >= '" . $edcal_startDate . "' AND post_date < '" . $edcal_endDate . "' AND post_date_gmt NOT LIKE '0000%'";
         }
         return $where;

diff --git a/readme.txt b/readme.txt
@@ -181,6 +181,10 @@ Changed all calls of the jQuery live method to use the new on method so the cale
 
 The Editorial Calendar is now stripping all tags out of post titles created from the calendar.  This fixes a potential security issue found by the Mozilla security testing team.  https://bugzilla.mozilla.org/show_bug.cgi?id=738112
 
+We are now preventing a potential SQL injection attack with the start date and end date filter when querying posts.  This fixes a potential security issue found by the Mozilla security testing team.  https://bugzilla.mozilla.org/show_bug.cgi?id=738112
+
+
+
 = 2.6 = 
 
 Fixed some layout issues with the previous and next calendar buttons in WordPress 3.5.