From 724a40f316b3568e3bc6f4fee3a580e918db2188 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 28 Oct 2024 18:45:04 +0100
Subject: [PATCH] fixes #2197 pwg.users.getList check user input
 min_register/max_register

---
 include/ws_functions/pwg.users.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index b0d4dfc45..220722be1 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -77,6 +77,11 @@ function ws_users_getList($params, &$service)
 
 
   if (!empty($params['min_register'])) {
+    if (!preg_match('/^\d\d\d\d(-\d{1,2}){0,2}$/', $params['min_register']))
+    {
+      return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter min_register');
+    }
+
     $date_tokens = explode('-', $params['min_register']);
     $min_register_year = $date_tokens[0];
     $min_register_month = $date_tokens[1] ?? 1;
@@ -87,6 +92,11 @@ function ws_users_getList($params, &$service)
 
 
   if (!empty($params['max_register'])) {
+    if (!preg_match('/^\d\d\d\d(-\d{1,2}){0,2}$/', $params['max_register']))
+    {
+      return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter max_register');
+    }
+
     $max_date_tokens = explode('-', $params['max_register']);
     $max_register_year = $max_date_tokens[0];
     $max_register_month = $max_date_tokens[1] ?? 12;