Eileen has uploaded a new change for review. https://gerrit.wikimedia.org/r/284127
Change subject: CRM-17983, CRM-18401 sanitise post params on activity tab ...................................................................... CRM-17983, CRM-18401 sanitise post params on activity tab Change-Id: Ie26a0a89e0b830d1c41a7cbc989d769b9cc70ef7 --- M CRM/Activity/Page/AJAX.php 1 file changed, 24 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/wikimedia/fundraising/crm/civicrm refs/changes/27/284127/1 diff --git a/CRM/Activity/Page/AJAX.php b/CRM/Activity/Page/AJAX.php index 9c79eae..63f59b2 100644 --- a/CRM/Activity/Page/AJAX.php +++ b/CRM/Activity/Page/AJAX.php @@ -474,7 +474,12 @@ $sort = isset($_REQUEST['iSortCol_0']) ? CRM_Utils_Array::value(CRM_Utils_Type::escape($_REQUEST['iSortCol_0'], 'Integer'), $sortMapper) : NULL; $sortOrder = isset($_REQUEST['sSortDir_0']) ? CRM_Utils_Type::escape($_REQUEST['sSortDir_0'], 'String') : 'asc'; - $params = $_POST; + $params = self::getWhiteListedParametersFromPost(array( + 'contact_id' => 'Integer', + 'activity_type_exclude_id' => 'Integer', + 'activity_type_id' => 'Integer', + )); + if ($sort && $sortOrder) { $params['sortBy'] = $sort . ' ' . $sortOrder; } @@ -497,8 +502,7 @@ } // store the activity filter preference CRM-11761 - $session = CRM_Core_Session::singleton(); - $userID = $session->get('userID'); + $userID = CRM_Core_Session::singleton()->getLoggedInContactID();; if ($userID) { //flush cache before setting filter to account for global cache (memcache) $domainID = CRM_Core_Config::domainID(); @@ -548,4 +552,21 @@ CRM_Utils_System::civiExit(); } + /** + * Get parameters from the POST according to a specified white list. + * @param $postParams + * @return array + */ + protected static function getWhiteListedParametersFromPost($postParams) { + $params = array(); + foreach ($postParams as $postParam => $paramType) { + // Note that as all the existing ones are Integers they do not need escaping. + $params[$postParam] = CRM_Utils_Request::retrieve($postParam, $paramType); + if ($params[$postParam] && $paramType != 'Integer') { + $params[$postParam] = CRM_Utils_Type::escape($postParam, $paramType); + } + } + return $params; + } + } -- To view, visit https://gerrit.wikimedia.org/r/284127 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie26a0a89e0b830d1c41a7cbc989d769b9cc70ef7 Gerrit-PatchSet: 1 Gerrit-Project: wikimedia/fundraising/crm/civicrm Gerrit-Branch: master Gerrit-Owner: Eileen <emcnaugh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits