vcs.fsf.org Git - civicrm-core.git/commit

author	Patrick Figel <pfigel@greenpeace.org>
	Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)
committer	Seamus Lee <seamuslee001@gmail.com>
	Fri, 22 Feb 2019 00:08:26 +0000 (11:08 +1100)
commit	0cf0a3f39283cac6b7c45a059ffba09621e813e3
tree	d43b0712b503b2e88fdd8606d80d769f03f0adef	tree \| snapshot (zip tar.gz)
parent	5078188767930525538e1ccd2ffb60109655436b	commit \| diff

security/core#28 - CRM_Contact - Fix SQL injection in group/tag search

This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.

For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).

CRM/Contact/BAO/Query.php		diff \| blob \| blame \| history
tests/phpunit/api/v3/ContactTest.php		diff \| blob \| blame \| history