mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-04 08:52:20 +02:00
fixes GHSA-mgqc-3445-qghq checks standard date fields
This commit is contained in:
@@ -3095,4 +3095,34 @@ function get_container_info()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if the provided string is valid for a comparison test with a datetime field in MySQL
|
||||||
|
*
|
||||||
|
* Possible values : YYYY-MM-DD HH-MM-SS or YYYY-MM-DD
|
||||||
|
*
|
||||||
|
* @since 16.3
|
||||||
|
* @param string $datetime
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
function is_valid_mysql_datetime(string $datetime)
|
||||||
|
{
|
||||||
|
// first we check the full date+time
|
||||||
|
$format = 'Y-m-d H:i:s';
|
||||||
|
$date = DateTime::createFromFormat($format, $datetime);
|
||||||
|
if ($date and $date->format($format) === $datetime)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// in case it fails, let's check with only date and no time
|
||||||
|
$format = 'Y-m-d';
|
||||||
|
$date = DateTime::createFromFormat($format, $datetime);
|
||||||
|
if ($date and $date->format($format) === $datetime)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
@@ -34,6 +34,16 @@ function ws_isInvokeAllowed($res, $methodName, $params)
|
|||||||
*/
|
*/
|
||||||
function ws_std_image_sql_filter( $params, $tbl_name='' )
|
function ws_std_image_sql_filter( $params, $tbl_name='' )
|
||||||
{
|
{
|
||||||
|
foreach (array('f_min_date_available', 'f_max_date_available', 'f_min_date_created', 'f_max_date_created') as $datefield)
|
||||||
|
{
|
||||||
|
if (isset($params[$datefield]) and !is_valid_mysql_datetime($params[$datefield]))
|
||||||
|
{
|
||||||
|
global $service;
|
||||||
|
$service->sendResponse(new PwgError(WS_ERR_INVALID_PARAM, 'Invalid '.$datefield));
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$clauses = array();
|
$clauses = array();
|
||||||
if ( is_numeric($params['f_min_rate']) )
|
if ( is_numeric($params['f_min_rate']) )
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user