vcs.fsf.org Git - civicrm-core.git/commit

author	Patrick Figel <pfigel@greenpeace.org>
	Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)
committer	Seamus Lee <seamuslee001@gmail.com>
	Tue, 19 Feb 2019 21:32:55 +0000 (08:32 +1100)
commit	b327ebe87730e068f85d6ea7eca372a3e9a07050
tree	9547aa1d01c287464a9ea75a5554bbd7e2967fb2	tree \| snapshot (zip tar.gz)
parent	ecd4e25058e413520c96f99d3a61821ff1c7d594	commit \| diff

security/core#28 - CRM_Contact - Fix SQL injection in group/tag search

This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.

For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).

CRM/Contact/BAO/Query.php		diff \| blob \| blame \| history
tests/phpunit/api/v3/ContactTest.php		diff \| blob \| blame \| history