From 3ab004f7f6ce0551e1fdf3e52fec8848b69b0b52 Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 24 Feb 2026 17:14:35 +0100 Subject: [PATCH] fixes GHSA-wfmr-9hg8-jh3m protects pwg.activity.getList --- include/ws_functions/pwg.php | 13 +++++++++---- ws.php | 10 ++++++++-- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/include/ws_functions/pwg.php b/include/ws_functions/pwg.php index 69e58c117..db54b7a7e 100644 --- a/include/ws_functions/pwg.php +++ b/include/ws_functions/pwg.php @@ -454,8 +454,13 @@ function ws_getActivityList($param, &$service) { global $conf; - /* Test Lantency */ - // sleep(1); + foreach (array('date_min', 'date_max') as $datefield) + { + if (!empty($param[$datefield]) and !is_valid_mysql_datetime($param[$datefield])) + { + return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid '.$datefield); + } + } $output_lines = array(); $current_key = ''; @@ -488,13 +493,13 @@ function ws_getActivityList($param, &$service) if (isset($param['action'])) { $where .= ' - AND action = "'.$param['action'].'"'; + AND action = "'.pwg_db_real_escape_string($param['action']).'"'; } if (isset($param['object'])) { $where .= ' - AND object = "'.$param['object'].'"'; + AND object = "'.pwg_db_real_escape_string($param['object']).'"'; } if (!empty($param['date_min'])) diff --git a/ws.php b/ws.php index 25fc8781a..017d5e4eb 100644 --- a/ws.php +++ b/ws.php @@ -86,8 +86,14 @@ function ws_addDefaultMethods( $arr ) array( 'page' => array('default'=>null, 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), - 'uid' => array('default'=>NULL, - 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), + 'offset' => array('default'=>0, + 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), + 'uid' => array('default'=>NULL, 'type'=>WS_TYPE_ID), + 'date_min' => array('default'=>null), + 'date_max' => array('default'=>null), + 'id' => array('default'=>null, 'type'=>WS_TYPE_ID), + 'object' => array('default'=>null), + 'action' => array('default'=>null), ), 'Returns general informations.', $ws_functions_root . 'pwg.php',