summaryrefslogtreecommitdiff
path: root/adodb-time.inc.php
diff options
context:
space:
mode:
authorMark Newnham <mark@newnhams.com>2019-01-01 20:33:21 -0700
committerMark Newnham <mark@newnhams.com>2019-01-01 20:33:21 -0700
commita3fd0e8ce1e4905814c5bcc0c560cffde786378a (patch)
treeb5433a50fb0911240a88378cecff5f343fd5f2c8 /adodb-time.inc.php
parent97bc62f940ae498d8cb997a2a90b40289cf7a530 (diff)
downloadadodb-a3fd0e8ce1e4905814c5bcc0c560cffde786378a.tar.gz
adodb-a3fd0e8ce1e4905814c5bcc0c560cffde786378a.tar.bz2
adodb-a3fd0e8ce1e4905814c5bcc0c560cffde786378a.zip
Security update to time library see #467
The BindTimeStamp and adodb_getdate functions are susceptible to abuse, see #467. The new constant ADODB_FUTURE_DATE_CUTOFF_YEARS limits the future years. see the documentation http://adodb.org/dokuwiki/doku.php?id=v5:datetime:adodb_last_date_status for more information
Diffstat (limited to 'adodb-time.inc.php')
-rw-r--r--adodb-time.inc.php26
1 files changed, 25 insertions, 1 deletions
diff --git a/adodb-time.inc.php b/adodb-time.inc.php
index f1d8eea8..1e8a0d34 100644
--- a/adodb-time.inc.php
+++ b/adodb-time.inc.php
@@ -421,6 +421,8 @@ $ADODB_DATETIME_CLASS = (PHP_VERSION >= 5.2);
if (!defined('ADODB_ALLOW_NEGATIVE_TS')) define('ADODB_NO_NEGATIVE_TS',1);
+if (!DEFINED('ADODB_FUTURE_DATE_CUTOFF_YEARS'))
+ DEFINE('ADODB_FUTURE_DATE_CUTOFF_YEARS',200);
function adodb_date_test_date($y1,$m,$d=13)
{
$h = round(rand()% 24);
@@ -830,13 +832,22 @@ global $_month_table_normal,$_month_table_leaf;
function _adodb_getdate($origd=false,$fast=false,$is_gmt=false)
{
static $YRS;
-global $_month_table_normal,$_month_table_leaf;
+global $_month_table_normal,$_month_table_leaf, $_adodb_last_date_call_failed;
+
+ $_adodb_last_date_call_failed = false;
$d = $origd - ($is_gmt ? 0 : adodb_get_gmt_diff_ts($origd));
$_day_power = 86400;
$_hour_power = 3600;
$_min_power = 60;
+ $cutoffDate = time() + (60 * 60 * 24 * 365 * ADODB_FUTURE_DATE_CUTOFF_YEARS);
+
+ if ($d > $cutoffDate)
+ {
+ $d = $cutoffDate;
+ $_adodb_last_date_call_failed = true;
+ }
if ($d < -12219321600) $d -= 86400*10; // if 15 Oct 1582 or earlier, gregorian correction
$_month_table_normal = array("",31,28,31,30,31,30,31,31,30,31,30,31);
@@ -1473,3 +1484,16 @@ global $ADODB_DATE_LOCALE;
$ret = adodb_date($fmtdate, $ts, $is_gmt);
return $ret;
}
+
+/**
+* Returns the status of the last date calculation and whether it exceeds
+* the limit of ADODB_FUTURE_DATE_CUTOFF_YEARS
+*
+* @return boolean
+*/
+function adodb_last_date_status()
+{
+ global $_adodb_last_date_call_failed;
+
+ return $_adodb_last_date_call_failed;
+} \ No newline at end of file