fixes GHSA-mgqc-3445-qghq checks standard date fields

include/functions.inc.php

@@ -3095,4 +3095,34 @@ function get_container_info()
   }
 }
 
+/**
+ * Checks if the provided string is valid for a comparison test with a datetime field in MySQL
+ *
+ * Possible values : YYYY-MM-DD HH-MM-SS or YYYY-MM-DD
+ *
+ * @since 16.3
+ * @param string $datetime
+ * @return bool
+ */
+function is_valid_mysql_datetime(string $datetime)
+{
+  // first we check the full date+time
+  $format = 'Y-m-d H:i:s';
+  $date = DateTime::createFromFormat($format, $datetime);
+  if ($date and $date->format($format) === $datetime)
+  {
+    return true;
+  }
+
+  // in case it fails, let's check with only date and no time
+  $format = 'Y-m-d';
+  $date = DateTime::createFromFormat($format, $datetime);
+  if ($date and $date->format($format) === $datetime)
+  {
+    return true;
+  }
+
+  return false;
+}
+
 ?>

include/ws_functions.inc.php

@@ -34,6 +34,16 @@ function ws_isInvokeAllowed($res, $methodName, $params)
  */
 function ws_std_image_sql_filter( $params, $tbl_name='' )
 {
+  foreach (array('f_min_date_available', 'f_max_date_available', 'f_min_date_created', 'f_max_date_created') as $datefield)
+  {
+    if (isset($params[$datefield]) and !is_valid_mysql_datetime($params[$datefield]))
+    {
+      global $service;
+      $service->sendResponse(new PwgError(WS_ERR_INVALID_PARAM, 'Invalid '.$datefield));
+      exit;
+    }
+  }
+
   $clauses = array();
   if ( is_numeric($params['f_min_rate']) )
   {