From 316d1f9b14493467214440fec8830e16298136b6 Mon Sep 17 00:00:00 2001 From: Denis Flaven Date: Tue, 17 May 2016 14:51:42 +0000 Subject: [PATCH] Validate date/time fields using their regular expression during an import (or synchro) to avoid passing wrong formats as-is (e.g. 01/02/16 can become 01/02/0016 instead of 01/02/2016 if you use the 4 digits format for years and pass only 2 digits !) SVN:trunk[4096] --- core/bulkchange.class.inc.php | 2 ++ synchro/synchro_import.php | 19 ++++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/core/bulkchange.class.inc.php b/core/bulkchange.class.inc.php index d144f19c1..8161115e3 100644 --- a/core/bulkchange.class.inc.php +++ b/core/bulkchange.class.inc.php @@ -827,6 +827,8 @@ class BulkChange { $sFormat = $sDateFormat; } + $oFormat = new DateTimeFormat($sFormat); + $sRegExp = $oFormat->ToRegExpr(); if (!preg_match('/'.$sRegExp.'/', $this->m_aData[$iRow][$iCol])) { $aResult[$iRow]["__STATUS__"]= new RowStatus_Issue(Dict::S('UI:CSVReport-Row-Issue-DateFormat')); diff --git a/synchro/synchro_import.php b/synchro/synchro_import.php index 356f903b1..583dc9e47 100644 --- a/synchro/synchro_import.php +++ b/synchro/synchro_import.php @@ -217,15 +217,24 @@ function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter) function ChangeDateFormat($sProposedDate, $sDateFormat) { // Make sure this is a valid MySQL datetime - $oDate = DateTime::createFromFormat($sDateFormat, $sProposedDate); - if ($oDate !== false) + $oFormat = new DateTimeFormat($sDateFormat); + $sRegExpr = $oFormat->ToRegExpr(); + if (!preg_match('/'.$sRegExpr.'/', $sProposedDate)) { - $sDate = $oDate->format(AttributeDateTime::GetInternalFormat()); - return $sDate; + return false; } else { - return false; + $oDate = DateTime::createFromFormat($sDateFormat, $sProposedDate); + if ($oDate !== false) + { + $sDate = $oDate->format(AttributeDateTime::GetInternalFormat()); + return $sDate; + } + else + { + return false; + } } }