From 9b729aceb6e02c3a8ef7a8f0b010cd32263da33c Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Thu, 1 Apr 2021 11:28:20 +0200
Subject: implement #6816: use more sane format for date argument in GET
 /private/orders request

---
 .../taler-merchant-httpd_private-get-orders.c      | 43 ++++++++++++++++------
 1 file changed, 31 insertions(+), 12 deletions(-)

(limited to 'src/backend/taler-merchant-httpd_private-get-orders.c')

diff --git a/src/backend/taler-merchant-httpd_private-get-orders.c b/src/backend/taler-merchant-httpd_private-get-orders.c
index 576b9ed8..673728d6 100644
--- a/src/backend/taler-merchant-httpd_private-get-orders.c
+++ b/src/backend/taler-merchant-httpd_private-get-orders.c
@@ -526,14 +526,14 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh,
     }
     else
     {
-      char dummy[2];
+      char dummy;
       long long ll;
 
       if (1 !=
           sscanf (delta_str,
-                  "%lld%1s",
+                  "%lld%c",
                   &ll,
-                  dummy))
+                  &dummy))
         return TALER_MHD_reply_with_error (connection,
                                            MHD_HTTP_BAD_REQUEST,
                                            TALER_EC_GENERIC_PARAMETER_MALFORMED,
@@ -542,12 +542,12 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh,
     }
   }
   {
-    const char *date_str;
+    const char *date_ms_str;
 
-    date_str = MHD_lookup_connection_value (connection,
-                                            MHD_GET_ARGUMENT_KIND,
-                                            "date");
-    if (NULL == date_str)
+    date_ms_str = MHD_lookup_connection_value (connection,
+                                               MHD_GET_ARGUMENT_KIND,
+                                               "date_ms");
+    if (NULL == date_ms_str)
     {
       if (of.delta > 0)
         of.date = GNUNET_TIME_UNIT_ZERO_ABS;
@@ -556,13 +556,32 @@ TMH_private_get_orders (const struct TMH_RequestHandler *rh,
     }
     else
     {
-      if (GNUNET_OK !=
-          GNUNET_STRINGS_fancy_time_to_absolute (date_str,
-                                                 &of.date))
+      char dummy;
+      unsigned long long ll;
+
+      if (1 !=
+          sscanf (date_ms_str,
+                  "%llu%c",
+                  &ll,
+                  &dummy))
+      {
+        GNUNET_break_op (0);
         return TALER_MHD_reply_with_error (connection,
                                            MHD_HTTP_BAD_REQUEST,
                                            TALER_EC_GENERIC_PARAMETER_MALFORMED,
-                                           "date");
+                                           "date_ms");
+      }
+      of.date.abs_value_us = ll * GNUNET_TIME_UNIT_MILLISECONDS.rel_value_us;
+      if (of.date.abs_value_us / GNUNET_TIME_UNIT_MILLISECONDS.rel_value_us !=
+          ll)
+      {
+        /* overflow during multiplication detected */
+        GNUNET_break_op (0);
+        return TALER_MHD_reply_with_error (connection,
+                                           MHD_HTTP_BAD_REQUEST,
+                                           TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                           "date_ms");
+      }
     }
   }
   {
-- 
cgit v1.2.3