[freeside-commits] branch master updated. c9b7e9bd253b26a35e9821a877d0ae5d30105d38

Thu Sep 4 17:25:49 PDT 2014

The branch, master has been updated
       via  c9b7e9bd253b26a35e9821a877d0ae5d30105d38 (commit)
      from  5f5fbed30812124e5865c4aaf20c927f7d2d01bd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c9b7e9bd253b26a35e9821a877d0ae5d30105d38
Author: C.J. Adams-Collier <cjac at colliertech.org>
Date:   Thu Sep 4 17:24:49 2014 -0700

    fix for lack of input validation - RT#15405

diff --git a/FS/FS/part_event/Condition/balance_age.pm b/FS/FS/part_event/Condition/balance_age.pm
index 8480659..701dafd 100644
--- a/FS/FS/part_event/Condition/balance_age.pm
+++ b/FS/FS/part_event/Condition/balance_age.pm
@@ -5,6 +5,46 @@ use base qw( FS::part_event::Condition );
 
 sub description { 'Customer balance age'; }
 
+=item check_options OPTIONS
+
+Validate options
+
+=cut
+
+my $duration_rx = qr/^(\d+)$/;
+my $unit_rx = qr/^[wmdh]$/;
+my $both_rx = qr/^(\d+)([wmdh])/;
+
+sub check_options {
+  my ($self, $options) = @_;
+
+  my $age       = $options->{age};
+  my $age_units = $options->{age_units};
+
+  return "Invalid (age) must be defined: $age"
+    unless( defined $age );
+
+  # over-ride possibly inaccurate unit indicator
+  if( $age =~ /$both_rx/ ){
+    $age = $1;
+    $age_units = $2;
+  }
+
+  return "Invalid (age_units) must be defined: $age_units"
+    unless defined $age_units;
+
+  return "Invalid (age) must be integer: $age"
+    unless( $age =~ /$duration_rx/ );
+
+  return "Invalid (age) must be non-zero: $age"
+    if ( $age == 0 );
+
+  return( "Invalid (age_units) must be m/w/d/h: $age_units" )
+    unless( $age_units =~ /$unit_rx/i );
+
+  return '';
+}
+
 sub option_fields {
   (
     'balance' => { 'label'      => 'Balance over',
diff --git a/httemplate/edit/process/part_event.html b/httemplate/edit/process/part_event.html
index a8c434c..481439d 100644
--- a/httemplate/edit/process/part_event.html
+++ b/httemplate/edit/process/part_event.html
@@ -85,6 +85,21 @@
       if ( $cgi->param('_initialize') ) {
         $cgi->param('disabled', 'Y');
       }
+
+      my $balance_age_rx = qr/^(condition.+)\.balance_age\.age$/;
+
+      foreach my $param ( keys %{ $cgi->Vars() } ){
+
+	next unless ( $param =~ /$balance_age_rx/ );
+	next unless $cgi->param($1) eq 'balance_age';
+
+	my $errstr = FS::part_event::Condition::balance_age->
+	  check_options( { age       => $cgi->param($param),
+			   age_units => $cgi->param("${param}_units") } );
+
+	return $errstr if $errstr;
+      }
+
       return '';
     },
     'noerror_callback' => sub {

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/part_event/Condition/balance_age.pm |   40 +++++++++++++++++++++++++++++
 httemplate/edit/process/part_event.html   |   15 +++++++++++
 2 files changed, 55 insertions(+)


