projects / civicrm-core.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
security/core#73 - Fix Contact.getquick API key exposure
[civicrm-core.git] / api / v3 / Contact.php
diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index ba581e57947526c3d6199e49436b29608c247613..bbbf007576b99df5165b90869be1821cb5abf8e8 100644 (file)
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -765,6 +765,10 @@ function civicrm_api3_contact_getquick($params) {
   // If we are doing quicksearch by a field other than name, make sure that field is added to results
   if (!empty($params['field_name'])) {
     $field_name = CRM_Utils_String::munge($params['field_name']);
+    // there is no good reason to request api_key via getquick
+    if ($field_name == 'api_key') {
+      throw new API_Exception('Illegal value "api_key" for parameter "field_name"');
+    }
     // Unique name contact_id = id
     if ($field_name == 'contact_id') {
       $field_name = 'id';