[Bug] Unhandled exception when invalid date string passed to reservation.php via query string

[belcirelk]

Acknowledgements

• This is a bug and not a question. Questions should be asked in the Discussions area.
• This project is maintained 100% by volunteers. I understand that there are no guarantees on when (or if) this will be addressed, and that the most effective way to see this resolved is for me to submit a Pull Request.

Describe the bug

Analysis of the problem by Claude

For logged-in users, reservation.php has no URI parameter validation, so passing an invalid sd or ed value causes an unhandled exception and a generic server error page.

The problem is that invalid sd/ed values are passed unchecked to NewReservationPage::GetStartDate() and GetEndDate() which call new Date($dateTimeString, $timezone), which calls new DateTime($timestring) without try/catch.

To Reproduce

1. Navigate to reservation.php with a malformed sd parameter, e.g.: reservation.php?sd=&ed=
2. A generic server error is displayed (rather than just redirecting like for the guest mode)

Expected behavior

Invalid date strings passed via query string parameters should be caught gracefully (redirect to reservation) rather than a generic server error.

Screenshots

No response

Additional context

Unlike guest users who go through GuestReservationPage which validates parameters via ParamsValidator, logged-in users have no URI parameter validation on reservation.php. The fix should either:

So the issue spans multiple files:

Pages/Reservation/NewReservationPage.php — reads raw query string without validation
lib/Common/Date.php — no try/catch around new DateTime()

But the root cause is the missing ParamsValidator in ReservationPage — if validation was there like in GuestReservationPage.

LibreBooking version

0b65c4e