1246781 - Replace Date::Format and Date::Parse from TimeDate by DateTime::Format::Strptime

Status: NEW

(Bugzilla :: Installation & Upgrading, enhancement)

Description

[Frédéric Buclin]

While testing a patch, I found an easy way to crash Bugzilla:

https://bugzilla.mozilla.org/process_bug.cgi?id=35&delta_ts=2016-01-01+24:00:00
https://landfill.bugzilla.org/bugzilla-tip/process_bug.cgi?id=1&delta_ts=2016-01-01+24:00:00

This is because Date::Parse::strptime() blindly accepts invalid dates and times, as long as they match some regexp, and when we pass them to DateTime->new(), it dies complaining that we tried to pass an illegal date+time. Having to validate the input date ourselves would be painful, especially with DST.

Also, http://search.cpan.org/~gbarr/TimeDate/lib/Date/Parse.pm#LIMITATION warns that "Date::Parse uses Time::Local internally, so is limited to only parsing dates which result in valid values for Time::Local::timelocal. This generally means dates between 1901-12-17 00:00:00 GMT and 2038-01-16 23:59:59 GMT"

2038 is not that far in the future, and replacing this old module (it got only one update since 2009) by something more robust seems a good idea. A quick look on CPAN seems to indicate that DateTime::Format::Strptime would be a good alternative. First of all, its maintainer is the same maintainer as DateTime and DateTime::TimeZone, and secondly if you pass a valid date, you immediately get a DateTime object (no need to create it ourselves) and if you pass an invalid date, you get an undefined value, which is easy to test ($foo || ThrowUserError(...)).