From a95c5a9bbab8df76b8140160100253676385bc59 Mon Sep 17 00:00:00 2001
From: ahnaguib <ahnaguib@gmail.com>
Date: Fri, 26 Apr 2019 15:55:26 -0700
Subject: [PATCH 1/2] Set maximum limit for reportExpirationTimeSec

---
 contracts/MedianOracle.sol | 6 ++++++
 test/unit/market_oracle.js | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/contracts/MedianOracle.sol b/contracts/MedianOracle.sol
index 4a22127..f5dbc30 100644
--- a/contracts/MedianOracle.sol
+++ b/contracts/MedianOracle.sol
@@ -45,11 +45,16 @@ contract MedianOracle is Ownable, IOracle {
 
     uint256 public minimumProviders = 1;
 
+    // Timestamp of 1 is used to mark uninitialized and invalidated data.
+    // This is needed so that timestamp of 1 is always considered expired.
+    uint256 private constant MAX_REPORT_EXPIRATION_TIME = 10 years;
+
     constructor(uint256 reportExpirationTimeSec_,
                 uint256 reportDelaySec_,
                 uint256 minimumProviders_)
         public
     {
+        require(reportExpirationTimeSec_ < MAX_REPORT_EXPIRATION_TIME);
         require(minimumProviders_ > 0);
         reportExpirationTimeSec = reportExpirationTimeSec_;
         reportDelaySec = reportDelaySec_;
@@ -60,6 +65,7 @@ contract MedianOracle is Ownable, IOracle {
         external
         onlyOwner
     {
+        require(reportExpirationTimeSec_ < MAX_REPORT_EXPIRATION_TIME);
         reportExpirationTimeSec = reportExpirationTimeSec_;
     }
 
diff --git a/test/unit/market_oracle.js b/test/unit/market_oracle.js
index 69edf63..16938b6 100644
--- a/test/unit/market_oracle.js
+++ b/test/unit/market_oracle.js
@@ -26,7 +26,10 @@ contract('MedianOracle:constructor', async function (accounts) {
   });
 
   it('should fail if a parameter is invalid', async function () {
+    expect(await chain.isEthException(oracle = await MedianOracle.new(60, 10, 1))).to.be.false;
     expect(await chain.isEthException(MedianOracle.new(60, 10, 0))).to.be.true;
+    expect(await chain.isEthException(MedianOracle.new(60 * 60 * 24 * 365 * 11, 10, 1))).to.be.true;
+    expect(await chain.isEthException(oracle.setReportExpirationTimeSec(60 * 60 * 24 * 365 * 11))).to.be.true;
   });
 });
 

From 8e6ade4546c84b6032e43686e0a601ee6bca9ca3 Mon Sep 17 00:00:00 2001
From: ahnaguib <ahnaguib@gmail.com>
Date: Mon, 29 Apr 2019 14:28:40 -0700
Subject: [PATCH 2/2] Set maximum limit to reportExpirationTimeSec

---
 contracts/MedianOracle.sol | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contracts/MedianOracle.sol b/contracts/MedianOracle.sol
index f5dbc30..9d07621 100644
--- a/contracts/MedianOracle.sol
+++ b/contracts/MedianOracle.sol
@@ -54,7 +54,7 @@ contract MedianOracle is Ownable, IOracle {
                 uint256 minimumProviders_)
         public
     {
-        require(reportExpirationTimeSec_ < MAX_REPORT_EXPIRATION_TIME);
+        require(reportExpirationTimeSec_ <= MAX_REPORT_EXPIRATION_TIME);
         require(minimumProviders_ > 0);
         reportExpirationTimeSec = reportExpirationTimeSec_;
         reportDelaySec = reportDelaySec_;
@@ -65,7 +65,7 @@ contract MedianOracle is Ownable, IOracle {
         external
         onlyOwner
     {
-        require(reportExpirationTimeSec_ < MAX_REPORT_EXPIRATION_TIME);
+        require(reportExpirationTimeSec_ <= MAX_REPORT_EXPIRATION_TIME);
         reportExpirationTimeSec = reportExpirationTimeSec_;
     }