From c9b7e9bd253b26a35e9821a877d0ae5d30105d38 Mon Sep 17 00:00:00 2001
From: "C.J. Adams-Collier" <cjac@colliertech.org>
Date: Thu, 4 Sep 2014 17:24:49 -0700
Subject: [PATCH] fix for lack of input validation - RT#15405

---
 FS/FS/part_event/Condition/balance_age.pm | 40 +++++++++++++++++++++++++++++++
 httemplate/edit/process/part_event.html   | 15 ++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/FS/FS/part_event/Condition/balance_age.pm b/FS/FS/part_event/Condition/balance_age.pm
index 84806596a..701dafdfe 100644
--- a/FS/FS/part_event/Condition/balance_age.pm
+++ b/FS/FS/part_event/Condition/balance_age.pm
@@ -5,6 +5,46 @@ use base qw( FS::part_event::Condition );
 
 sub description { 'Customer balance age'; }
 
+=item check_options OPTIONS
+
+Validate options
+
+=cut
+
+my $duration_rx = qr/^(\d+)$/;
+my $unit_rx = qr/^[wmdh]$/;
+my $both_rx = qr/^(\d+)([wmdh])/;
+
+sub check_options {
+  my ($self, $options) = @_;
+
+  my $age       = $options->{age};
+  my $age_units = $options->{age_units};
+
+  return "Invalid (age) must be defined: $age"
+    unless( defined $age );
+
+  # over-ride possibly inaccurate unit indicator
+  if( $age =~ /$both_rx/ ){
+    $age = $1;
+    $age_units = $2;
+  }
+
+  return "Invalid (age_units) must be defined: $age_units"
+    unless defined $age_units;
+
+  return "Invalid (age) must be integer: $age"
+    unless( $age =~ /$duration_rx/ );
+
+  return "Invalid (age) must be non-zero: $age"
+    if ( $age == 0 );
+
+  return( "Invalid (age_units) must be m/w/d/h: $age_units" )
+    unless( $age_units =~ /$unit_rx/i );
+
+  return '';
+}
+
 sub option_fields {
   (
     'balance' => { 'label'      => 'Balance over',
diff --git a/httemplate/edit/process/part_event.html b/httemplate/edit/process/part_event.html
index a8c434c1a..481439d53 100644
--- a/httemplate/edit/process/part_event.html
+++ b/httemplate/edit/process/part_event.html
@@ -85,6 +85,21 @@
       if ( $cgi->param('_initialize') ) {
         $cgi->param('disabled', 'Y');
       }
+
+      my $balance_age_rx = qr/^(condition.+)\.balance_age\.age$/;
+
+      foreach my $param ( keys %{ $cgi->Vars() } ){
+
+	next unless ( $param =~ /$balance_age_rx/ );
+	next unless $cgi->param($1) eq 'balance_age';
+
+	my $errstr = FS::part_event::Condition::balance_age->
+	  check_options( { age       => $cgi->param($param),
+			   age_units => $cgi->param("${param}_units") } );
+
+	return $errstr if $errstr;
+      }
+
       return '';
     },
     'noerror_callback' => sub {
-- 
2.11.0