CIV-01-021 - Improve entity name sanitization
Before
------
* There exist two functions which purport to take an API entity name and sanitize it,
producing a canonical API entity name. (`\Civi\API\Request::normalizeEntityName`
and `_civicrm_api_get_camel_name`)
* The two functions are identical for typical inputs. Both call `convertStringToCamel()`.
* The difference relates to unusual/unspecified input characters like `/` or `.` or `+`.
* `_civicrm_api_get_camel_name()` allows/returns unusual characters.
* `normalizeEntityName()` filters them out via `\CRM_Utils_String::munge()`
After
-----
* `_civicrm_api_get_camel_name()` just calls `normalizeEntityName()`
* A unit-test provides some comparison/contrast between the old+new behaviors.
Comments
--------
I came into this because CIV-01-021 pointed out that `_civicrm_api_get_camel_name()` had
insufficient sanitization of wonky inputs and could potentially lead to unexpected file-reads.
You can potentially address those wonky inputs by filtering them out or by throwing an exception.
I initially started doing an exception... but it turned out that `normalizeEntityName()` was already
filtering out and didn't really need a change. Also, regardless of the policy, the functions should be
brought into alignment.
Anyway, it seemed like this was the simpler change - it keeps `normalizeEntityName()` working exactly
as before, and only changes `_civicrm_api_get_camel_name()` to match.
projects / civicrm-core.git / commit