e-smith-ntp/sme10/e-smith-ntp-2.6.0-bz12107-untainting.patch

diff -Nur --no-dereference e-smith-ntp-2.6.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime e-smith-ntp-2.6.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime
--- e-smith-ntp-2.6.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime      2008-10-07 13:36:26.000000000 -0400
+++ e-smith-ntp-2.6.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime  2022-07-17 01:13:29.536000000 -0400
@@ -151,6 +151,14 @@
       <trans>Error: invalid second</trans>
     </entry>
     <entry>
+      <base>INVALID_MONTH</base>
+      <trans>Error: invalid month</trans>
+    </entry>
+    <entry>
+      <base>MONTH_BETWEEN_1_AND_12</base>
+      <trans>Please choose a month value between 1 and 12.</trans>
+    </entry>
+    <entry>
       <base>UPDATING_CLOCK</base>
       <trans>
         <![CDATA[
diff -Nur --no-dereference e-smith-ntp-2.6.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm e-smith-ntp-2.6.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm
--- e-smith-ntp-2.6.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm  2013-02-02 01:58:58.000000000 -0500
+++ e-smith-ntp-2.6.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm      2022-07-17 01:11:58.059000000 -0400
@@ -498,21 +498,30 @@
     #--------------------------------------------------
 
     my $timezone = $q->param ('timezone');
-    if ($timezone =~ /^(.*)$/) {
+    if ($timezone =~ /^([\w\-]+\/?[\w\-+]*)$/) {
         $timezone = $1;
     } else {
         $timezone = "US/Eastern";
     }
 
     my $month = $q->param ('month');
-    if ($month =~ /^(.*)$/) {
+    if ($month =~ /^(\d{1,2})$/) {
         $month = $1;
     } else {
         $month = "1";
     }
+    if (($month < 1) || ($month > 12))
+    {
+        $q->param(-name => "status_message",
+            -value => $q->p($self->localise('INVALID_MONTH')." $month. ".
+                $self->localise('MONTH_BETWEEN_1_AND_12')));
+        return $self->error($self->localise('INVALID_MONTH')." $month. ".
+                $self->localise('MONTH_BETWEEN_1_AND_12'));
+    }
+
 
     my $day = $q->param ('day');
-    if ($day =~ /^(.*)$/) {
+    if ($day =~ /^(\d{1,2})$/) {
         $day = $1;
     } else {
         $day = "1";
@@ -522,11 +531,12 @@
         $q->param(-name => "status_message", 
            -value => $q->p($self->localise('INVALID_DAY')." $day. ".
                 $self->localise('BETWEEN_1_AND_31')));
-        return '';
+        return $self->error($self->localise('INVALID_DAY')." $day. ".
+                $self->localise('BETWEEN_1_AND_31'));
     }
 
     my $year = $q->param ('year');
-    if ($year =~ /^(.*)$/) {
+    if ($year =~ /^(\d{4})$/) {
         $year = $1;
     } else {
         $year = "2000";
@@ -536,11 +546,12 @@
         $q->param(-name => "status_message",
            -value => $q->p($self->localise('INVALID_YEAR')." $year. ".
                 $self->localise('FOUR_DIGIT_YEAR')));
-        return '';
+        return $self->error($self->localise('INVALID_YEAR')." $year. ".
+                $self->localise('FOUR_DIGIT_YEAR'));
     }
 
     my $hour = $q->param ('hour');
-    if ($hour =~ /^(.*)$/) {
+    if ($hour =~ /^(\d{1,2})$/) {
         $hour = $1;
     } else {
         $hour = "12";
@@ -550,11 +561,12 @@
         $q->param(-name => "status_message",
            -value => $q->p($self->localise('INVALID_HOUR')." $hour. ".
                 $self->localise('BETWEEN_1_AND_12')));
-        return '';
+        return $self->error($self->localise('INVALID_HOUR')." $hour. ".
+                $self->localise('BETWEEN_1_AND_12'));
     }
 
     my $minute = $q->param ('minute');
-    if ($minute =~ /^(.*)$/) {
+    if ($minute =~ /^(\d{1,2})$/) {
         $minute = $1;
     } else {
         $minute = "0";
@@ -564,11 +576,12 @@
         $q->param(-name => "status_message",
            -value => $q->p($self->localise('INVALID_MINUTE')." $minute. ".
                 $self->localise('BETWEEN_0_AND_59')));
-        return '';
+        return $self->error(self->localise('INVALID_MINUTE')." $minute. ".
+                $self->localise('BETWEEN_0_AND_59'));
     }
     
     my $second = $q->param ('second');
-    if ($second =~ /^(.*)$/) {
+    if ($second =~ /^(\d{1,2})$/) {
         $second = $1;
     } else {
         $second = "0";
@@ -578,11 +591,12 @@
         $q->param(-name => "status_message", 
            -value => $q->p($self->localise('INVALID_SECOND')." $second. ".
                 $self->localise('BETWEEN_0_AND_59')));
-        return '';
+        return $self->error($self->localise('INVALID_SECOND')." $second. ".
+                $self->localise('BETWEEN_0_AND_59'));
     }
 
     my $ampm = $q->param ('ampm');
-    if ($ampm =~ /^(.*)$/) {
+    if ($ampm =~ /^(AM|PM)$/) {
         $ampm = $1;
     } else {
         $ampm = "AM";
1	jpp	1.1	diff -Nur --no-dereference e-smith-ntp-2.6.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime e-smith-ntp-2.6.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime
2			--- e-smith-ntp-2.6.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime 2008-10-07 13:36:26.000000000 -0400
3			+++ e-smith-ntp-2.6.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/datetime 2022-07-17 01:13:29.536000000 -0400
4			@@ -151,6 +151,14 @@
5			<trans>Error: invalid second</trans>
6			</entry>
7			<entry>
8			+ <base>INVALID_MONTH</base>
9			+ <trans>Error: invalid month</trans>
10			+ </entry>
11			+ <entry>
12			+ <base>MONTH_BETWEEN_1_AND_12</base>
13			+ <trans>Please choose a month value between 1 and 12.</trans>
14			+ </entry>
15			+ <entry>
16			<base>UPDATING_CLOCK</base>
17			<trans>
18			<![CDATA[
19			diff -Nur --no-dereference e-smith-ntp-2.6.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm e-smith-ntp-2.6.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm
20			--- e-smith-ntp-2.6.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm 2013-02-02 01:58:58.000000000 -0500
21			+++ e-smith-ntp-2.6.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/datetime.pm 2022-07-17 01:11:58.059000000 -0400
22			@@ -498,21 +498,30 @@
23			#--------------------------------------------------
24
25			my $timezone = $q->param ('timezone');
26			- if ($timezone =~ /^(.*)$/) {
27			+ if ($timezone =~ /^([\w\-]+\/?[\w\-+]*)$/) {
28			$timezone = $1;
29			} else {
30			$timezone = "US/Eastern";
31			}
32
33			my $month = $q->param ('month');
34			- if ($month =~ /^(.*)$/) {
35			+ if ($month =~ /^(\d{1,2})$/) {
36			$month = $1;
37			} else {
38			$month = "1";
39			}
40			+ if (($month < 1) \|\| ($month > 12))
41			+ {
42			+ $q->param(-name => "status_message",
43			+ -value => $q->p($self->localise('INVALID_MONTH')." $month. ".
44			+ $self->localise('MONTH_BETWEEN_1_AND_12')));
45			+ return $self->error($self->localise('INVALID_MONTH')." $month. ".
46			+ $self->localise('MONTH_BETWEEN_1_AND_12'));
47			+ }
48			+
49
50			my $day = $q->param ('day');
51			- if ($day =~ /^(.*)$/) {
52			+ if ($day =~ /^(\d{1,2})$/) {
53			$day = $1;
54			} else {
55			$day = "1";
56			@@ -522,11 +531,12 @@
57			$q->param(-name => "status_message",
58			-value => $q->p($self->localise('INVALID_DAY')." $day. ".
59			$self->localise('BETWEEN_1_AND_31')));
60			- return '';
61			+ return $self->error($self->localise('INVALID_DAY')." $day. ".
62			+ $self->localise('BETWEEN_1_AND_31'));
63			}
64
65			my $year = $q->param ('year');
66			- if ($year =~ /^(.*)$/) {
67			+ if ($year =~ /^(\d{4})$/) {
68			$year = $1;
69			} else {
70			$year = "2000";
71			@@ -536,11 +546,12 @@
72			$q->param(-name => "status_message",
73			-value => $q->p($self->localise('INVALID_YEAR')." $year. ".
74			$self->localise('FOUR_DIGIT_YEAR')));
75			- return '';
76			+ return $self->error($self->localise('INVALID_YEAR')." $year. ".
77			+ $self->localise('FOUR_DIGIT_YEAR'));
78			}
79
80			my $hour = $q->param ('hour');
81			- if ($hour =~ /^(.*)$/) {
82			+ if ($hour =~ /^(\d{1,2})$/) {
83			$hour = $1;
84			} else {
85			$hour = "12";
86			@@ -550,11 +561,12 @@
87			$q->param(-name => "status_message",
88			-value => $q->p($self->localise('INVALID_HOUR')." $hour. ".
89			$self->localise('BETWEEN_1_AND_12')));
90			- return '';
91			+ return $self->error($self->localise('INVALID_HOUR')." $hour. ".
92			+ $self->localise('BETWEEN_1_AND_12'));
93			}
94
95			my $minute = $q->param ('minute');
96			- if ($minute =~ /^(.*)$/) {
97			+ if ($minute =~ /^(\d{1,2})$/) {
98			$minute = $1;
99			} else {
100			$minute = "0";
101			@@ -564,11 +576,12 @@
102			$q->param(-name => "status_message",
103			-value => $q->p($self->localise('INVALID_MINUTE')." $minute. ".
104			$self->localise('BETWEEN_0_AND_59')));
105			- return '';
106			+ return $self->error(self->localise('INVALID_MINUTE')." $minute. ".
107			+ $self->localise('BETWEEN_0_AND_59'));
108			}
109
110			my $second = $q->param ('second');
111			- if ($second =~ /^(.*)$/) {
112			+ if ($second =~ /^(\d{1,2})$/) {
113			$second = $1;
114			} else {
115			$second = "0";
116			@@ -578,11 +591,12 @@
117			$q->param(-name => "status_message",
118			-value => $q->p($self->localise('INVALID_SECOND')." $second. ".
119			$self->localise('BETWEEN_0_AND_59')));
120			- return '';
121			+ return $self->error($self->localise('INVALID_SECOND')." $second. ".
122			+ $self->localise('BETWEEN_0_AND_59'));
123			}
124
125			my $ampm = $q->param ('ampm');
126			- if ($ampm =~ /^(.*)$/) {
127			+ if ($ampm =~ /^(AM\|PM)$/) {
128			$ampm = $1;
129			} else {
130			$ampm = "AM";