CRM-17795 - Enforce maximum join depth

author Coleman Watts <coleman@civicrm.org>

Fri, 8 Jan 2016 20:19:49 +0000 (15:19 -0500)

committer Coleman Watts <coleman@civicrm.org>

Sat, 9 Jan 2016 01:51:03 +0000 (20:51 -0500)
author Coleman Watts <coleman@civicrm.org>
Fri, 8 Jan 2016 20:19:49 +0000 (15:19 -0500)
committer Coleman Watts <coleman@civicrm.org>
Sat, 9 Jan 2016 01:51:03 +0000 (20:51 -0500)
diff --git a/Civi/API/SelectQuery.php b/Civi/API/SelectQuery.php

index d6ad183b7fee07e7eaa7a7283dd94ffad25dbab1..3652c93865befa3886738543caa794737e8a861f 100644 (file)
--- a/Civi/API/SelectQuery.php
+++ b/Civi/API/SelectQuery.php
@@ -360,6 +360,10 @@ class SelectQuery {
          $fkField = &$this->apiFieldSpec[$fk];
          continue;
        }
+      // More than 4 joins deep seems excessive - DOS attack?
+      if ($depth > 4) {
+        throw new \API_Exception("Maximum number of joins exceeded in api.{$this->entity}.get");
+      }
        if (!isset($fkField['FKApiName']) && !isset($fkField['FKClassName'])) {
          return NULL;
        }
author	Coleman Watts <coleman@civicrm.org>
	Fri, 8 Jan 2016 20:19:49 +0000 (15:19 -0500)
committer	Coleman Watts <coleman@civicrm.org>
	Sat, 9 Jan 2016 01:51:03 +0000 (20:51 -0500)