Fix submit-event.php crash on non-numeric date fields#1970
Open
svpernova09 wants to merge 1 commit into
Open
Conversation
The event submission form passed $_POST date/recurrence fields straight to checkdate() and mktime(). Under PHP 8 these require int, so any non-numeric string or array value (bots and scanners fuzzing the form) threw an uncaught TypeError -- 9,393 fatals in a 15-day window. Normalize the numeric fields to integers at the input boundary via a new testable phpweb\Events\EventInput::normalizeNumericFields(); non-numeric input becomes 0, an invalid date the existing validation already rejects. Add unit tests for the normalization and a regression test that the normalized values are safe to pass to checkdate().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix
submit-event.phpcrash on non-numeric date fieldsSummary
submit-event.phpthrows an uncaughtTypeErrorwhenever a date or recurrencefield is submitted as something other than a number. The raw
$_POSTvalues arepassed straight into
checkdate()(andmktime()), which under PHP 8 requireint, so any non-numeric string or array value throws.This was the third-largest source of PHP fatals on www.php.net in a recent 15-day
window of production logs: 9,393 fatal errors, driven by bots and scanners
fuzzing the submission form.
This PR normalizes the numeric event fields to integers at the input boundary,
using a new unit-tested
phpweb\Events\EventInputhelper.The bug
On entry the page only maps empty date fields to
0; a non-empty, non-numericvalue passes through unchanged:
The values are then handed directly to
checkdate():Under PHP 8,
checkdate(int $month, int $day, int $year)rejects a non-numericstring such as
"January"(or an array from?smonth[]=x) with aTypeErrorrather than coercing it.
mktime()on the following lines has the sameconstraint; it never crashes only because
checkdate()throws first.Evidence from production logs
The fatal (
error.log, client IP redacted):Volume: 9,393 fatals (30 Jun to 14 Jul 2026). They are bursty: 6,856 (73%)
landed on 30 Jun during one campaign.
It hits every date argument, at both
checkdate()calls:$day)$year)$month)stringarraysubmit-event.php:84(start date)submit-event.php:94(multi-day end date)Root cause
Untrusted
$_POSTdate fields are passed to type-strict core functions withoutbeing coerced to
int. The empty-to-0normalization only covers missing values,not garbage ones.
The fix
Coerce the numeric event fields to integers at the input boundary. Anything that
is not a numeric value becomes
0, an invalid date that the existing formvalidation already rejects with a friendly "you must specify a valid start date"
message:
EventInput::normalizeNumericFields()usesis_numeric()before casting, sonon-numeric strings, arrays, and missing values all become
0(rather than, forexample,
(int) "12abc"yielding12). This protects both thecheckdate()andthe
mktime()calls, and it replaces the old empty-only loop. Behavior for validnumeric input is unchanged.
The logic lives in a small
src/class so it can be unit-tested, following theexisting
LangChooserpattern; the page script cannot be exercised directly.Testing
tests/Unit/Events/EventInputTest.php: 6 tests covering numeric-stringcoercion, non-numeric strings to
0, array values to0, missing fields to0, non-numeric fields left untouched, and a regression test that thenormalized values are safe to pass to
checkdate()without aTypeError.(
smonth=January&sday=abc), an array field (smonth[]=x), a multi-day eventwith a non-numeric end date, a valid submission, and the empty GET form all
return HTTP 200 with the form rendered and no fatals in the server log.