projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b8ba534)
security/core#126 Ensure that QFKey is validated when deleting a contact image
authorSeamus Lee <seamuslee001@gmail.com>
Sat, 2 Sep 2023 22:03:19 +0000 (08:03 +1000)
committerSeamus Lee <seamuslee001@gmail.com>
Thu, 7 Sep 2023 00:19:10 +0000 (10:19 +1000)
CRM/Contact/BAO/Contact.php patch | blob | blame | history
CRM/Contact/Form/Contact.php patch | blob | blame | history
CRM/Core/BAO/UFGroup.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
index 4b469a42531405a9a11e7cbee648fa4d78ef3f2f..ad02c2bef7282557b75a2814282644007cec8a7d 100644 (file)
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -1130,14 +1130,15 @@ WHERE     civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer');
    * Extract contact id from url for deleting contact image.
    */
   public static function processImage() {
-
     $action = CRM_Utils_Request::retrieve('action', 'String');
     $cid = CRM_Utils_Request::retrieve('cid', 'Positive');
     // retrieve contact id in case of Profile context
     $id = CRM_Utils_Request::retrieve('id', 'Positive');
+    $formName = $cid ? 'CRM_Contact_Form_Contact' : 'CRM_Profile_Form_Edit';
     $cid = $cid ? $cid : $id;
     if ($action & CRM_Core_Action::DELETE) {
       if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
+        $controller = new CRM_Core_Controller_Simple($formName, ts('New Contact'), NULL, TRUE, FALSE);
         if (!CRM_Contact_BAO_Contact::_checkAccess('Contact', 'update', ['id' => $cid], NULL)) {
           CRM_Utils_System::permissionDenied();
         }
diff --git a/CRM/Contact/Form/Contact.php b/CRM/Contact/Form/Contact.php
index e839389812dd42f9375e2d1ddeaa1d756334021b..486bf3b7dada89a1bf5ea1dc1f9d6baa5678cea7 100644 (file)
--- a/CRM/Contact/Form/Contact.php
+++ b/CRM/Contact/Form/Contact.php
@@ -730,7 +730,7 @@ class CRM_Contact_Form_Contact extends CRM_Core_Form {
         CRM_Core_Action::DELETE => [
           'name' => ts('Delete Contact Image'),
           'url' => 'civicrm/contact/image',
-          'qs' => 'reset=1&cid=%%id%%&action=delete',
+          'qs' => 'reset=1&cid=%%id%%&action=delete&&qfKey=%%key%%',
           'extra' => 'onclick = "' . htmlspecialchars("if (confirm($deleteExtra)) this.href+='&confirmed=1'; else return false;") . '"',
         ],
       ];
@@ -738,6 +738,7 @@ class CRM_Contact_Form_Contact extends CRM_Core_Form {
         CRM_Core_Action::DELETE,
         [
           'id' => $this->_contactId,
+          'key' => $this->controller->_key,
         ],
         ts('more'),
         FALSE,
diff --git a/CRM/Core/BAO/UFGroup.php b/CRM/Core/BAO/UFGroup.php
index be15fb87a9a8066b9d07e9ff41169ff76f3ce3ca..645dfcb6d3cda3f34a17cd07834aa9f50cacf30a 100644 (file)
--- a/CRM/Core/BAO/UFGroup.php
+++ b/CRM/Core/BAO/UFGroup.php
@@ -1843,7 +1843,7 @@ AND    ( entity_id IS NULL OR entity_id <= 0 )
         CRM_Core_Action::DELETE => [
           'name' => ts('Delete Contact Image'),
           'url' => 'civicrm/contact/image',
-          'qs' => 'reset=1&id=%%id%%&gid=%%gid%%&action=delete',
+          'qs' => 'reset=1&id=%%id%%&gid=%%gid%%&action=delete&qfKey=%%key%%',
           'extra' => 'onclick = "' . htmlspecialchars("if (confirm($deleteExtra)) this.href+='&confirmed=1'; else return false;") . '"',
         ],
       ];
@@ -1852,6 +1852,7 @@ AND    ( entity_id IS NULL OR entity_id <= 0 )
         [
           'id' => $form->get('id'),
           'gid' => $form->get('gid'),
+          'key' => $form->controller->_key,
         ],
         ts('more'),
         FALSE,