fix for lack of input validation - RT#15405

author C.J. Adams-Collier <cjac@colliertech.org>

Fri, 5 Sep 2014 00:24:49 +0000 (17:24 -0700)

committer C.J. Adams-Collier <cjac@colliertech.org>

Fri, 5 Sep 2014 00:25:42 +0000 (17:25 -0700)
author C.J. Adams-Collier <cjac@colliertech.org>
Fri, 5 Sep 2014 00:24:49 +0000 (17:24 -0700)
committer C.J. Adams-Collier <cjac@colliertech.org>
Fri, 5 Sep 2014 00:25:42 +0000 (17:25 -0700)
diff --git a/FS/FS/part_event/Condition/balance_age.pm b/FS/FS/part_event/Condition/balance_age.pm

index 8480659..701dafd 100644 (file)
--- a/FS/FS/part_event/Condition/balance_age.pm
+++ b/FS/FS/part_event/Condition/balance_age.pm
@@ -5,6 +5,46 @@ use base qw( FS::part_event::Condition );
  
  sub description { 'Customer balance age'; }
  
+=item check_options OPTIONS
+
+Validate options
+
+=cut
+
+my $duration_rx = qr/^(\d+)$/;
+my $unit_rx = qr/^[wmdh]$/;
+my $both_rx = qr/^(\d+)([wmdh])/;
+
+sub check_options {
+  my ($self, $options) = @_;
+
+  my $age       = $options->{age};
+  my $age_units = $options->{age_units};
+
+  return "Invalid (age) must be defined: $age"
+    unless( defined $age );
+
+  # over-ride possibly inaccurate unit indicator
+  if( $age =~ /$both_rx/ ){
+    $age = $1;
+    $age_units = $2;
+  }
+
+  return "Invalid (age_units) must be defined: $age_units"
+    unless defined $age_units;
+
+  return "Invalid (age) must be integer: $age"
+    unless( $age =~ /$duration_rx/ );
+
+  return "Invalid (age) must be non-zero: $age"
+    if ( $age == 0 );
+
+  return( "Invalid (age_units) must be m/w/d/h: $age_units" )
+    unless( $age_units =~ /$unit_rx/i );
+
+  return '';
+}
+
  sub option_fields {
    (
      'balance' => { 'label'      => 'Balance over',
diff --git a/httemplate/edit/process/part_event.html b/httemplate/edit/process/part_event.html

index a8c434c..481439d 100644 (file)
--- a/httemplate/edit/process/part_event.html
+++ b/httemplate/edit/process/part_event.html
@@ -85,6 +85,21 @@
        if ( $cgi->param('_initialize') ) {
          $cgi->param('disabled', 'Y');
        }
+
+      my $balance_age_rx = qr/^(condition.+)\.balance_age\.age$/;
+
+      foreach my $param ( keys %{ $cgi->Vars() } ){
+
+       next unless ( $param =~ /$balance_age_rx/ );
+       next unless $cgi->param($1) eq 'balance_age';
+
+       my $errstr = FS::part_event::Condition::balance_age->
+         check_options( { age       => $cgi->param($param),
+                          age_units => $cgi->param("${param}_units") } );
+
+       return $errstr if $errstr;
+      }
+
        return '';
      },
      'noerror_callback' => sub {
author	C.J. Adams-Collier <cjac@colliertech.org>
	Fri, 5 Sep 2014 00:24:49 +0000 (17:24 -0700)
committer	C.J. Adams-Collier <cjac@colliertech.org>
	Fri, 5 Sep 2014 00:25:42 +0000 (17:25 -0700)
FS/FS/part_event/Condition/balance_age.pm		patch \| blob \| history
httemplate/edit/process/part_event.html		patch \| blob \| history