projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d92edef) | patch
security/core#14 Validate "context" inputs
authorSean Madsen <sean@seanmadsen.com>
Sun, 22 Apr 2018 21:50:47 +0000 (17:50 -0400)
committerTim Otten <totten@civicrm.org>
Wed, 18 Jul 2018 21:55:05 +0000 (14:55 -0700)
commitedc80cda6bfef2572d515c4c139d83f7556e632a
tree826016c005d0c617ebe9d36ab2aff4b800aee038tree | snapshot (zip tar.gz)
parentd92edefc480455c404ab2c3da6b3c81e803be865commit | diff
security/core#14 Validate "context" inputs

When "context" is passed as a GET parameter, ensure that its values is
a valid "Alphanumeric" type. This helps prevent XSS when the "context"
value finds its way into templates that lack HTML output encoding.

Replace...

    CRM_Utils_Request::retrieve\((['"])context\1,(\s*)(['"])String\3

...with...

    CRM_Utils_Request::retrieve\($1context$1,$3Alphanumeric$3

Also search for the following and manually fix:

    \$_GET\[(['"])context\1\]
    \$_POST\[(['"])context\1\]
    \$_REQUEST\[(['"])context\1\]
67 files changed:
CRM/Activity/Form/Activity.php diff | blob | blame | history
CRM/Activity/Form/ActivityView.php diff | blob | blame | history
CRM/Activity/Form/Search.php diff | blob | blame | history
CRM/Activity/Page/Tab.php diff | blob | blame | history
CRM/Batch/Page/AJAX.php diff | blob | blame | history
CRM/Campaign/Form/Campaign.php diff | blob | blame | history
CRM/Campaign/Form/Petition.php diff | blob | blame | history
CRM/Campaign/Form/Search.php diff | blob | blame | history
CRM/Campaign/Form/Survey/Main.php diff | blob | blame | history
CRM/Case/Form/Activity.php diff | blob | blame | history
CRM/Case/Form/Activity/OpenCase.php diff | blob | blame | history
CRM/Case/Form/CaseView.php diff | blob | blame | history
CRM/Case/Form/EditClient.php diff | blob | blame | history
CRM/Case/Form/Search.php diff | blob | blame | history
CRM/Case/Page/CaseDetails.php diff | blob | blame | history
CRM/Case/Page/Tab.php diff | blob | blame | history
CRM/Contact/Form/Contact.php diff | blob | blame | history
CRM/Contact/Form/GroupContact.php diff | blob | blame | history
CRM/Contact/Form/Search.php diff | blob | blame | history
CRM/Contact/Form/Task/Delete.php diff | blob | blame | history
CRM/Contact/Form/Task/Email.php diff | blob | blame | history
CRM/Contact/Form/Task/Map.php diff | blob | blame | history
CRM/Contact/Form/Task/SMS.php diff | blob | blame | history
CRM/Contact/Page/AJAX.php diff | blob | blame | history
CRM/Contact/Page/DedupeFind.php diff | blob | blame | history
CRM/Contact/Page/DedupeRules.php diff | blob | blame | history
CRM/Contact/Page/View/Relationship.php diff | blob | blame | history
CRM/Contribute/BAO/ContributionRecur.php diff | blob | blame | history
CRM/Contribute/Form/Contribution.php diff | blob | blame | history
CRM/Contribute/Form/ContributionView.php diff | blob | blame | history
CRM/Contribute/Form/Search.php diff | blob | blame | history
CRM/Contribute/Page/PaymentInfo.php diff | blob | blame | history
CRM/Contribute/Page/Tab.php diff | blob | blame | history
CRM/Core/Page/AJAX.php diff | blob | blame | history
CRM/Dashlet/Page/Activity.php diff | blob | blame | history
CRM/Dashlet/Page/AllCases.php diff | blob | blame | history
CRM/Dashlet/Page/GettingStarted.php diff | blob | blame | history
CRM/Dashlet/Page/MyCases.php diff | blob | blame | history
CRM/Event/Form/Participant.php diff | blob | blame | history
CRM/Event/Form/Search.php diff | blob | blame | history
CRM/Event/Form/Task/Badge.php diff | blob | blame | history
CRM/Event/Page/EventInfo.php diff | blob | blame | history
CRM/Event/Page/Tab.php diff | blob | blame | history
CRM/Financial/Form/FinancialBatch.php diff | blob | blame | history
CRM/Financial/Page/AJAX.php diff | blob | blame | history
CRM/Financial/Page/FinancialBatch.php diff | blob | blame | history
CRM/Grant/Form/Grant.php diff | blob | blame | history
CRM/Grant/Form/GrantView.php diff | blob | blame | history
CRM/Grant/Form/Search.php diff | blob | blame | history
CRM/Grant/Page/Tab.php diff | blob | blame | history
CRM/Mailing/Page/Event.php diff | blob | blame | history
CRM/Mailing/Page/Report.php diff | blob | blame | history
CRM/Member/Form.php diff | blob | blame | history
CRM/Member/Form/MembershipView.php diff | blob | blame | history
CRM/Member/Form/Search.php diff | blob | blame | history
CRM/Member/Page/Tab.php diff | blob | blame | history
CRM/PCP/Form/Campaign.php diff | blob | blame | history
CRM/PCP/Form/PCP.php diff | blob | blame | history
CRM/Pledge/Form/Pledge.php diff | blob | blame | history
CRM/Pledge/Form/Search.php diff | blob | blame | history
CRM/Pledge/Page/Payment.php diff | blob | blame | history
CRM/Pledge/Page/Tab.php diff | blob | blame | history
CRM/Price/Page/Set.php diff | blob | blame | history
CRM/Profile/Form.php diff | blob | blame | history
CRM/Profile/Form/Edit.php diff | blob | blame | history
CRM/Report/Form/Activity.php diff | blob | blame | history
CRM/UF/Page/Group.php diff | blob | blame | history