From e7d74b8f9edc31025ee3176632cb01090f92857a Mon Sep 17 00:00:00 2001 From: jynbil1 Date: Sun, 17 May 2026 13:29:56 +0900 Subject: [PATCH] Harden fullcalendar event errors --- .../data/fullcalendar/php/get-events.php | 32 ++++++++++++++++--- tests/check-fullcalendar-event-errors.sh | 17 ++++++++++ 2 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 tests/check-fullcalendar-event-errors.sh diff --git a/frontend/web/app-assets/data/fullcalendar/php/get-events.php b/frontend/web/app-assets/data/fullcalendar/php/get-events.php index 5b7b388c7..d4892c8df 100644 --- a/frontend/web/app-assets/data/fullcalendar/php/get-events.php +++ b/frontend/web/app-assets/data/fullcalendar/php/get-events.php @@ -12,21 +12,40 @@ // Require our Event class and datetime utilities require dirname(__FILE__) . '/utils.php'; +function sendJsonError($message, $statusCode = 400) { + if (!headers_sent()) { + header('Content-Type: application/json'); + header('HTTP/1.1 ' . $statusCode . ' Bad Request'); + } + echo json_encode(array( + 'error' => $message + )); + exit; +} + // Short-circuit if the client did not give us a date range. if (!isset($_GET['start']) || !isset($_GET['end'])) { - die("Please provide a date range."); + sendJsonError('Please provide a valid date range.'); } // Parse the start/end parameters. // These are assumed to be ISO8601 strings with no time nor timezone, like "2013-12-29". // Since no timezone will be present, they will parsed as UTC. -$range_start = parseDateTime($_GET['start']); -$range_end = parseDateTime($_GET['end']); +try { + $range_start = parseDateTime($_GET['start']); + $range_end = parseDateTime($_GET['end']); +} catch (Exception $e) { + sendJsonError('Please provide a valid date range.'); +} // Parse the timezone parameter if it is present. $timezone = null; if (isset($_GET['timezone'])) { - $timezone = new DateTimeZone($_GET['timezone']); + try { + $timezone = new DateTimeZone($_GET['timezone']); + } catch (Exception $e) { + sendJsonError('Please provide a valid timezone.'); + } } // Read and parse our events JSON file into an array of event data arrays. @@ -47,4 +66,7 @@ } // Send JSON to the client. -echo json_encode($output_arrays); \ No newline at end of file +if (!headers_sent()) { + header('Content-Type: application/json'); +} +echo json_encode($output_arrays); diff --git a/tests/check-fullcalendar-event-errors.sh b/tests/check-fullcalendar-event-errors.sh new file mode 100644 index 000000000..21f60b8a0 --- /dev/null +++ b/tests/check-fullcalendar-event-errors.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -euo pipefail + +target="frontend/web/app-assets/data/fullcalendar/php/get-events.php" + +grep -q "function sendJsonError" "$target" +grep -q "Content-Type: application/json" "$target" +grep -q "Please provide a valid date range." "$target" +grep -q "Please provide a valid timezone." "$target" +grep -Fq 'catch (Exception $e)' "$target" + +if grep -q "die(\"Please provide a date range.\")" "$target"; then + echo "fullcalendar event endpoint still hard-stops with plain text" >&2 + exit 1 +fi + +echo "FullCalendar event error guard passed."