[MediaWiki-commits] [Gerrit] CRM-17983, CRM-18401 sanitise post params on activity tab - change (wikimedia...civicrm)

Eileen (Code Review) Mon, 18 Apr 2016 21:13:28 -0700

Eileen has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/284127


Change subject: CRM-17983, CRM-18401 sanitise post params on activity tab
......................................................................

CRM-17983, CRM-18401 sanitise post params on activity tab

Change-Id: Ie26a0a89e0b830d1c41a7cbc989d769b9cc70ef7
---
M CRM/Activity/Page/AJAX.php
1 file changed, 24 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/fundraising/crm/civicrm 
refs/changes/27/284127/1

diff --git a/CRM/Activity/Page/AJAX.php b/CRM/Activity/Page/AJAX.php
index 9c79eae..63f59b2 100644
--- a/CRM/Activity/Page/AJAX.php
+++ b/CRM/Activity/Page/AJAX.php
@@ -474,7 +474,12 @@
     $sort = isset($_REQUEST['iSortCol_0']) ? 
CRM_Utils_Array::value(CRM_Utils_Type::escape($_REQUEST['iSortCol_0'], 
'Integer'), $sortMapper) : NULL;
     $sortOrder = isset($_REQUEST['sSortDir_0']) ? 
CRM_Utils_Type::escape($_REQUEST['sSortDir_0'], 'String') : 'asc';
 
-    $params = $_POST;
+    $params = self::getWhiteListedParametersFromPost(array(
+      'contact_id' => 'Integer',
+      'activity_type_exclude_id' => 'Integer',
+      'activity_type_id' => 'Integer',
+    ));
+
     if ($sort && $sortOrder) {
       $params['sortBy'] = $sort . ' ' . $sortOrder;
     }
@@ -497,8 +502,7 @@
     }
 
     // store the activity filter preference CRM-11761
-    $session = CRM_Core_Session::singleton();
-    $userID = $session->get('userID');
+    $userID = CRM_Core_Session::singleton()->getLoggedInContactID();;
     if ($userID) {
       //flush cache before setting filter to account for global cache 
(memcache)
       $domainID = CRM_Core_Config::domainID();
@@ -548,4 +552,21 @@
     CRM_Utils_System::civiExit();
   }
 
+  /**
+   * Get parameters from the POST according to a specified white list.
+   * @param $postParams
+   * @return array
+   */
+  protected static function getWhiteListedParametersFromPost($postParams) {
+    $params = array();
+    foreach ($postParams as $postParam => $paramType) {
+      // Note that as all the existing ones are Integers they do not need 
escaping.
+      $params[$postParam] = CRM_Utils_Request::retrieve($postParam, 
$paramType);
+      if ($params[$postParam] && $paramType != 'Integer') {
+        $params[$postParam] = CRM_Utils_Type::escape($postParam, $paramType);
+      }
+    }
+    return $params;
+  }
+
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/284127
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie26a0a89e0b830d1c41a7cbc989d769b9cc70ef7
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/fundraising/crm/civicrm
Gerrit-Branch: master
Gerrit-Owner: Eileen <emcnaugh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] CRM-17983, CRM-18401 sanitise post params on activity tab - change (wikimedia...civicrm)

Reply via email to