From 59c677ba12365f0ed2996005fcc6ce1281069be9 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Sat, 11 May 2019 01:35:57 +0200
Subject: history: validate year and month

---
 lib/Travelynx/Controller/Traveling.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/Travelynx/Controller/Traveling.pm b/lib/Travelynx/Controller/Traveling.pm
index ee94913..3d2bb0c 100755
--- a/lib/Travelynx/Controller/Traveling.pm
+++ b/lib/Travelynx/Controller/Traveling.pm
@@ -360,7 +360,10 @@ sub yearly_history {
 	my @journeys;
 	my $stats;
 
-	if ( not $year =~ m{ ^ [0-9]{4} $ }x ) {
+	# DateTime is very slow when looking far into the future due to DST changes
+	# -> Limit time range to avoid accidental DoS.
+	if ( not( $year =~ m{ ^ [0-9]{4} $ }x and $year > 1990 and $year < 2100 ) )
+	{
 		@journeys = $self->get_user_travels;
 	}
 	else {
@@ -409,7 +412,14 @@ sub monthly_history {
 		qw(Januar Februar März April Mai Juni Juli August September Oktober November Dezember)
 	  );
 
-	if ( not( $year =~ m{ ^ [0-9]{4} $ }x and $month =~ m{ ^ [0-9]{1,2} $ }x ) )
+	if (
+		not(    $year =~ m{ ^ [0-9]{4} $ }x
+			and $year > 1990
+			and $year < 2100
+			and $month =~ m{ ^ [0-9]{1,2} $ }x
+			and $month > 0
+			and $month < 13 )
+	  )
 	{
 		@journeys = $self->get_user_travels;
 	}
-- 
cgit v1.2.3