projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1e970c0) | patch
security/core#14 Validate "context" inputs
authorSean Madsen <sean@seanmadsen.com>
Sun, 22 Apr 2018 21:50:47 +0000 (17:50 -0400)
committerTim Otten <totten@civicrm.org>
Wed, 18 Jul 2018 20:51:53 +0000 (13:51 -0700)
commit443611bba9b6dfe0d56f705a1cbb08cfd2de99be
tree48a4d5964e848f80277522a770184d4b690f857ctree | snapshot (zip tar.gz)
parent1e970c0babffeb13ee677228b1d8a91eb635829fcommit | diff
security/core#14 Validate "context" inputs

When "context" is passed as a GET parameter, ensure that its values is
a valid "Alphanumeric" type. This helps prevent XSS when the "context"
value finds its way into templates that lack HTML output encoding.

Replace...

    CRM_Utils_Request::retrieve\((['"])context\1,(\s*)(['"])String\3

...with...

    CRM_Utils_Request::retrieve\($1context$1,$3Alphanumeric$3

Also search for the following and manually fix:

    \$_GET\[(['"])context\1\]
    \$_POST\[(['"])context\1\]
    \$_REQUEST\[(['"])context\1\]
68 files changed:
CRM/Activity/Form/Activity.php diff | blob | blame | history
CRM/Activity/Form/ActivityView.php diff | blob | blame | history
CRM/Activity/Form/Search.php diff | blob | blame | history
CRM/Activity/Page/Tab.php diff | blob | blame | history
CRM/Admin/Form/ScheduleReminders.php diff | blob | blame | history
CRM/Batch/Page/AJAX.php diff | blob | blame | history
CRM/Campaign/Form/Campaign.php diff | blob | blame | history
CRM/Campaign/Form/Petition.php diff | blob | blame | history
CRM/Campaign/Form/Search.php diff | blob | blame | history
CRM/Campaign/Form/Survey/Main.php diff | blob | blame | history
CRM/Case/Form/Activity.php diff | blob | blame | history
CRM/Case/Form/Activity/OpenCase.php diff | blob | blame | history
CRM/Case/Form/CaseView.php diff | blob | blame | history
CRM/Case/Form/EditClient.php diff | blob | blame | history
CRM/Case/Form/Search.php diff | blob | blame | history
CRM/Case/Page/CaseDetails.php diff | blob | blame | history
CRM/Case/Page/Tab.php diff | blob | blame | history
CRM/Contact/Form/Contact.php diff | blob | blame | history
CRM/Contact/Form/GroupContact.php diff | blob | blame | history
CRM/Contact/Form/Search.php diff | blob | blame | history
CRM/Contact/Form/Task/Delete.php diff | blob | blame | history
CRM/Contact/Form/Task/Email.php diff | blob | blame | history
CRM/Contact/Form/Task/Map.php diff | blob | blame | history
CRM/Contact/Form/Task/SMS.php diff | blob | blame | history
CRM/Contact/Page/AJAX.php diff | blob | blame | history
CRM/Contact/Page/DedupeFind.php diff | blob | blame | history
CRM/Contact/Page/DedupeRules.php diff | blob | blame | history
CRM/Contact/Page/View/Relationship.php diff | blob | blame | history
CRM/Contribute/BAO/ContributionRecur.php diff | blob | blame | history
CRM/Contribute/Form/Contribution.php diff | blob | blame | history
CRM/Contribute/Form/ContributionView.php diff | blob | blame | history
CRM/Contribute/Form/Search.php diff | blob | blame | history
CRM/Contribute/Page/PaymentInfo.php diff | blob | blame | history
CRM/Contribute/Page/Tab.php diff | blob | blame | history
CRM/Core/Page/AJAX.php diff | blob | blame | history
CRM/Dashlet/Page/Activity.php diff | blob | blame | history
CRM/Dashlet/Page/AllCases.php diff | blob | blame | history
CRM/Dashlet/Page/GettingStarted.php diff | blob | blame | history
CRM/Dashlet/Page/MyCases.php diff | blob | blame | history
CRM/Event/Form/Participant.php diff | blob | blame | history
CRM/Event/Form/Search.php diff | blob | blame | history
CRM/Event/Form/Task/Badge.php diff | blob | blame | history
CRM/Event/Page/EventInfo.php diff | blob | blame | history
CRM/Event/Page/Tab.php diff | blob | blame | history
CRM/Financial/Form/FinancialBatch.php diff | blob | blame | history
CRM/Financial/Page/AJAX.php diff | blob | blame | history
CRM/Financial/Page/FinancialBatch.php diff | blob | blame | history
CRM/Grant/Form/Grant.php diff | blob | blame | history
CRM/Grant/Form/GrantView.php diff | blob | blame | history
CRM/Grant/Form/Search.php diff | blob | blame | history
CRM/Grant/Page/Tab.php diff | blob | blame | history
CRM/Mailing/Page/Event.php diff | blob | blame | history
CRM/Mailing/Page/Report.php diff | blob | blame | history
CRM/Member/Form.php diff | blob | blame | history
CRM/Member/Form/MembershipView.php diff | blob | blame | history
CRM/Member/Form/Search.php diff | blob | blame | history
CRM/Member/Page/Tab.php diff | blob | blame | history
CRM/PCP/Form/Campaign.php diff | blob | blame | history
CRM/PCP/Form/PCP.php diff | blob | blame | history
CRM/Pledge/Form/Pledge.php diff | blob | blame | history
CRM/Pledge/Form/Search.php diff | blob | blame | history
CRM/Pledge/Page/Payment.php diff | blob | blame | history
CRM/Pledge/Page/Tab.php diff | blob | blame | history
CRM/Price/Page/Set.php diff | blob | blame | history
CRM/Profile/Form.php diff | blob | blame | history
CRM/Profile/Form/Edit.php diff | blob | blame | history
CRM/Report/Form/Activity.php diff | blob | blame | history
CRM/UF/Page/Group.php diff | blob | blame | history