diff options
| author | Christian Grothoff <christian@grothoff.org> | 2021-04-01 11:28:20 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2021-04-01 11:28:20 +0200 |
| commit | 9b729aceb6e02c3a8ef7a8f0b010cd32263da33c (patch) | |
| tree | 43102b4fa0c2669dd15646fd4724c758c1b7198a /src/backend/taler-merchant-httpd_private-get-orders.c | |
| parent | cc802c04911560ba85a8aa021f0a80c4fa99815a (diff) | |
| download | merchant-9b729aceb6e02c3a8ef7a8f0b010cd32263da33c.tar.gz merchant-9b729aceb6e02c3a8ef7a8f0b010cd32263da33c.tar.bz2 merchant-9b729aceb6e02c3a8ef7a8f0b010cd32263da33c.zip | |
implement #6816: use more sane format for date argument in GET /private/orders request
Diffstat (limited to 'src/backend/taler-merchant-httpd_private-get-orders.c')
| -rw-r--r-- | src/backend/taler-merchant-httpd_private-get-orders.c | 43 |
1 files changed, 31 insertions, 12 deletions
diff --git a/src/backend/taler-merchant-httpd_private-get-orders.c b/src/backend/taler-merchant-httpd_private-get-orders.c index 576b9ed8..673728d6 100644 --- a/src/backend/taler-merchant-httpd_private-get-orders.c +++ b/src/backend/taler-merchant-httpd_private-get-orders.c @@ -526,14 +526,14 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh, } else { - char dummy[2]; + char dummy; long long ll; if (1 != sscanf (delta_str, - "%lld%1s", + "%lld%c", &ll, - dummy)) + &dummy)) return TALER_MHD_reply_with_error (connection, MHD_HTTP_BAD_REQUEST, TALER_EC_GENERIC_PARAMETER_MALFORMED, @@ -542,12 +542,12 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh, } } { - const char *date_str; + const char *date_ms_str; - date_str = MHD_lookup_connection_value (connection, - MHD_GET_ARGUMENT_KIND, - "date"); - if (NULL == date_str) + date_ms_str = MHD_lookup_connection_value (connection, + MHD_GET_ARGUMENT_KIND, + "date_ms"); + if (NULL == date_ms_str) { if (of.delta > 0) of.date = GNUNET_TIME_UNIT_ZERO_ABS; @@ -556,13 +556,32 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh, } else { - if (GNUNET_OK != - GNUNET_STRINGS_fancy_time_to_absolute (date_str, - &of.date)) + char dummy; + unsigned long long ll; + + if (1 != + sscanf (date_ms_str, + "%llu%c", + &ll, + &dummy)) + { + GNUNET_break_op (0); return TALER_MHD_reply_with_error (connection, MHD_HTTP_BAD_REQUEST, TALER_EC_GENERIC_PARAMETER_MALFORMED, - "date"); + "date_ms"); + } + of.date.abs_value_us = ll * GNUNET_TIME_UNIT_MILLISECONDS.rel_value_us; + if (of.date.abs_value_us / GNUNET_TIME_UNIT_MILLISECONDS.rel_value_us != + ll) + { + /* overflow during multiplication detected */ + GNUNET_break_op (0); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "date_ms"); + } } } { |