From 206bcebdb73569136af9aba68e591721409acda6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sat, 9 Mar 2024 00:11:00 +0100 Subject: [PATCH] Forbid users to select dates after 2038 on 32-bit systems to prevent errors caused by Year2038 bug See discussion #548 and #549 --- .docker/symfony.conf | 2 +- .env | 2 + docs/configuration.md | 4 + src/Entity/Parts/PartLot.php | 2 + src/Entity/UserSystem/ApiToken.php | 2 + .../Constraints/Year2038BugWorkaround.php | 41 ++++++++++ .../Year2038BugWorkaroundValidator.php | 74 ++++++++++++++++++ translations/validators.en.xlf | 76 ++++++++++--------- 8 files changed, 167 insertions(+), 36 deletions(-) create mode 100644 src/Validator/Constraints/Year2038BugWorkaround.php create mode 100644 src/Validator/Constraints/Year2038BugWorkaroundValidator.php diff --git a/.docker/symfony.conf b/.docker/symfony.conf index 3c2e6ca3..66893aee 100644 --- a/.docker/symfony.conf +++ b/.docker/symfony.conf @@ -25,7 +25,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined # Pass the configuration from the docker env to the PHP environment (here you should list all .env options) - PassEnv APP_ENV APP_DEBUG APP_SECRET REDIRECT_TO_HTTPS + PassEnv APP_ENV APP_DEBUG APP_SECRET REDIRECT_TO_HTTPS DISABLE_YEAR2038_BUG_CHECK PassEnv TRUSTED_PROXIES TRUSTED_HOSTS LOCK_DSN PassEnv DATABASE_URL ENFORCE_CHANGE_COMMENTS_FOR DATABASE_MYSQL_USE_SSL_CA DATABASE_MYSQL_SSL_VERIFY_CERT PassEnv DEFAULT_LANG DEFAULT_TIMEZONE BASE_CURRENCY INSTANCE_NAME ALLOW_ATTACHMENT_DOWNLOADS USE_GRAVATAR MAX_ATTACHMENT_FILE_SIZE DEFAULT_URI CHECK_FOR_UPDATES ATTACHMENT_DOWNLOAD_BY_DEFAULT diff --git a/.env b/.env index a7faf70b..8e48085e 100644 --- a/.env +++ b/.env @@ -248,6 +248,8 @@ BANNER="" APP_ENV=prod APP_SECRET=a03498528f5a5fc089273ec9ae5b2849 +# Set this to zero, if you want to disable the year 2038 bug check on 32-bit systems (it will cause errors with current 32-bit PHP versions) +DISABLE_YEAR2038_BUG_CHECK=0 # Set the trusted IPs here, when using an reverse proxy #TRUSTED_PROXIES=127.0.0.0/8,::1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/docs/configuration.md b/docs/configuration.md index a251ca3d..8990e9a7 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -206,6 +206,10 @@ See the [information providers]({% link usage/information_provider_system.md %}) mode. (**You should not do this on a publicly accessible server, as it will leak sensitive information!**) * `BANNER`: You can configure the text that should be shown as the banner on the homepage. Useful especially for docker containers. In all other applications you can just change the `config/banner.md` file. +* `DISABLE_YEAR2038_BUG_CHECK`: If set to `1`, the year 2038 bug check is disabled on 32-bit systems, and dates after +2038 are no longer forbidden. However this will lead to 500 error messages when rendering dates after 2038 as all current +32-bit PHP versions can not format these dates correctly. This setting is for the case that future PHP versions will +handle this correctly on 32-bit systems. 64-bit systems are not affected by this bug, and the check is always disabled. ## Banner diff --git a/src/Entity/Parts/PartLot.php b/src/Entity/Parts/PartLot.php index 2c07f349..5a5ecb80 100644 --- a/src/Entity/Parts/PartLot.php +++ b/src/Entity/Parts/PartLot.php @@ -37,6 +37,7 @@ use ApiPlatform\Metadata\Patch; use ApiPlatform\Metadata\Post; use ApiPlatform\Serializer\Filter\PropertyFilter; use App\ApiPlatform\Filter\LikeFilter; +use App\Validator\Constraints\Year2038BugWorkaround; use Doctrine\DBAL\Types\Types; use App\Entity\Base\AbstractDBElement; use App\Entity\Base\TimestampTrait; @@ -109,6 +110,7 @@ class PartLot extends AbstractDBElement implements TimeStampableInterface, Named */ #[Groups(['extended', 'full', 'import', 'part_lot:read', 'part_lot:write'])] #[ORM\Column(name: 'expiration_date', type: Types::DATETIME_MUTABLE, nullable: true)] + #[Year2038BugWorkaround] protected ?\DateTimeInterface $expiration_date = null; /** diff --git a/src/Entity/UserSystem/ApiToken.php b/src/Entity/UserSystem/ApiToken.php index dacb8223..cd73de90 100644 --- a/src/Entity/UserSystem/ApiToken.php +++ b/src/Entity/UserSystem/ApiToken.php @@ -32,6 +32,7 @@ use App\Entity\Base\TimestampTrait; use App\Entity\Contracts\TimeStampableInterface; use App\Repository\UserSystem\ApiTokenRepository; use App\State\CurrentApiTokenProvider; +use App\Validator\Constraints\Year2038BugWorkaround; use Doctrine\DBAL\Types\Types; use Doctrine\ORM\Mapping as ORM; use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity; @@ -76,6 +77,7 @@ class ApiToken implements TimeStampableInterface #[ORM\Column(type: Types::DATETIME_MUTABLE, nullable: true)] #[Groups('token:read')] + #[Year2038BugWorkaround] private ?\DateTimeInterface $valid_until; #[ORM\Column(length: 68, unique: true)] diff --git a/src/Validator/Constraints/Year2038BugWorkaround.php b/src/Validator/Constraints/Year2038BugWorkaround.php new file mode 100644 index 00000000..04a07908 --- /dev/null +++ b/src/Validator/Constraints/Year2038BugWorkaround.php @@ -0,0 +1,41 @@ +. + */ + +declare(strict_types=1); + + +namespace App\Validator\Constraints; + +use Symfony\Component\Validator\Constraint; + +/** + * Datetime interfaces properties with this constraint are limited to the year 2038 on 32-bit systems, to prevent a + * Year 2038 bug during rendering. + * + * Current PHP versions can not format dates after 2038 on 32-bit systems and throw an exception. + * (See https://github.com/Part-DB/Part-DB-server/discussions/548). + * + * This constraint does not fix that problem, but can prevent users from entering such invalid dates. + */ +#[\Attribute(\Attribute::TARGET_PROPERTY)] +class Year2038BugWorkaround extends Constraint +{ + public string $message = 'validator.year_2038_bug_on_32bit'; +} \ No newline at end of file diff --git a/src/Validator/Constraints/Year2038BugWorkaroundValidator.php b/src/Validator/Constraints/Year2038BugWorkaroundValidator.php new file mode 100644 index 00000000..747721f9 --- /dev/null +++ b/src/Validator/Constraints/Year2038BugWorkaroundValidator.php @@ -0,0 +1,74 @@ +. + */ + +declare(strict_types=1); + + +namespace App\Validator\Constraints; + +use Symfony\Component\DependencyInjection\Attribute\Autowire; +use Symfony\Component\Validator\Constraint; +use Symfony\Component\Validator\ConstraintValidator; +use Symfony\Component\Validator\Exception\UnexpectedTypeException; + +class Year2038BugWorkaroundValidator extends ConstraintValidator +{ + + public function __construct( + #[Autowire(env: "DISABLE_YEAR2038_BUG_CHECK")] + private readonly bool $disable_validation = false + ) + { + } + + public function isActivated(): bool + { + //If we are on a 32 bit system and the validation is not disabled, we should activate the validation + return !$this->disable_validation && PHP_INT_SIZE === 4; + } + + public function validate(mixed $value, Constraint $constraint): void + { + if (!$this->isActivated()) { + return; + } + + //If the value is null, we don't need to validate it + if ($value === null) { + return; + } + + //Ensure that we check the correct constraint + if (!$constraint instanceof Year2038BugWorkaround) { + throw new \InvalidArgumentException('This validator can only validate Year2038Bug constraints'); + } + + //We can only validate DateTime objects + if (!$value instanceof \DateTimeInterface) { + throw new UnexpectedTypeException($value, \DateTimeInterface::class); + } + + //If we reach here the validation is active and we should forbid any date after 2038. + if ($value->diff(new \DateTime('2038-01-19 03:14:06'))->invert === 1) { + $this->context->buildViolation($constraint->message) + ->addViolation(); + } + } +} \ No newline at end of file diff --git a/translations/validators.en.xlf b/translations/validators.en.xlf index 3a6a7485..cec89ea6 100644 --- a/translations/validators.en.xlf +++ b/translations/validators.en.xlf @@ -37,7 +37,7 @@ Part-DB1\src\Entity\UserSystem\Group.php:0 Part-DB1\src\Entity\UserSystem\User.php:0 - + part.master_attachment.must_be_picture The preview attachment must be a valid picture! @@ -82,7 +82,7 @@ src\Entity\StructuralDBElement.php:0 src\Entity\Supplier.php:0 - + structural.entity.unique_name An element with this name already exists on this level! @@ -102,7 +102,7 @@ Part-DB1\src\Entity\Parameters\StorelocationParameter.php:0 Part-DB1\src\Entity\Parameters\SupplierParameter.php:0 - + parameters.validator.min_lesser_typical Value must be lesser or equal the the typical value ({{ compared_value }}). @@ -122,7 +122,7 @@ Part-DB1\src\Entity\Parameters\StorelocationParameter.php:0 Part-DB1\src\Entity\Parameters\SupplierParameter.php:0 - + parameters.validator.min_lesser_max Value must be lesser than the maximum value ({{ compared_value }}). @@ -142,7 +142,7 @@ Part-DB1\src\Entity\Parameters\StorelocationParameter.php:0 Part-DB1\src\Entity\Parameters\SupplierParameter.php:0 - + parameters.validator.max_greater_typical Value must be greater or equal than the typical value ({{ compared_value }}). @@ -152,7 +152,7 @@ Part-DB1\src\Entity\UserSystem\User.php:0 Part-DB1\src\Entity\UserSystem\User.php:0 - + validator.user.username_already_used A user with this name is already exisiting @@ -162,7 +162,7 @@ Part-DB1\src\Entity\UserSystem\User.php:0 Part-DB1\src\Entity\UserSystem\User.php:0 - + user.invalid_username The username must contain only letters, numbers, underscores, dots, pluses or minuses! @@ -171,7 +171,7 @@ obsolete - + validator.noneofitschild.self An element can not be its own parent! @@ -180,166 +180,172 @@ obsolete - + validator.noneofitschild.children You can not assign children element as parent (This would cause loops)! - + validator.select_valid_category Please select a valid category! - + validator.part_lot.only_existing Can not add new parts to this location as it is marked as "Only Existing" - + validator.part_lot.location_full.no_increase Location is full. Amount can not be increased (new value must be smaller than {{ old_amount }}). - + validator.part_lot.location_full Location is full. Can not add new parts to it. - + validator.part_lot.single_part This location can only contain a single part and it is already full! - + validator.attachment.must_not_be_null You must select an attachment type! - + validator.orderdetail.supplier_must_not_be_null You must select an supplier! - + validator.measurement_unit.use_si_prefix_needs_unit To enable SI prefixes, you have to set a unit symbol! - + part.ipn.must_be_unique The internal part number must be unique. {{ value }} is already in use! - + validator.project.bom_entry.name_or_part_needed You have to choose a part for a part BOM entry or set a name for a non-part BOM entry. - + project.bom_entry.name_already_in_bom There is already an BOM entry with this name! - + project.bom_entry.part_already_in_bom This part already exists in the BOM! - + project.bom_entry.mountnames_quantity_mismatch The number of mountnames has to match the BOMs quantity! - + project.bom_entry.can_not_add_own_builds_part You can not add a project's own builds part to the BOM. - + project.bom_has_to_include_all_subelement_parts The project BOM has to include all subprojects builds parts. Part %part_name% of project %project_name% missing! - + project.bom_entry.price_not_allowed_on_parts Prices are not allowed on BOM entries associated with a part. Define the price on the part instead. - + validator.project_build.lot_bigger_than_needed You have selected more quantity to withdraw than needed! Remove unnecessary quantity. - + validator.project_build.lot_smaller_than_needed You have selected less quantity to withdraw than needed for the build! Add additional quantity. - + part.name.must_match_category_regex The part name does not match the regular expression stated by the category: %regex% - + validator.attachment.name_not_blank Set a value here, or upload a file to automatically use its filename as name for the attachment. - + validator.part_lot.owner_must_match_storage_location_owner The owner of this lot must match the owner of the selected storage location (%owner_name%)! - + validator.part_lot.owner_must_not_be_anonymous A lot owner must not be the anonymous user! - + validator.part_association.must_set_an_value_if_type_is_other If you set the type to "other", then you have to set a descriptive value for it! - + validator.part_association.part_cannot_be_associated_with_itself A part can not be associated with itself! - + validator.part_association.already_exists The association with this part already exists! - + validator.part_lot.vendor_barcode_must_be_unique This vendor barcode value was already used in another lot. The barcode must be unique! + + + validator.year_2038_bug_on_32bit + Due to technical limitations, it is not possible to select dates after the 2038-01-19 on 32-bit systems! + +