CRM-16806: Validate supplied entity type.

author Chris Burgess <chris@giantrobot.co.nz>

Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)

committer Chris Burgess <chris@giantrobot.co.nz>

Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)
author Chris Burgess <chris@giantrobot.co.nz>
Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)
committer Chris Burgess <chris@giantrobot.co.nz>
Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)
diff --git a/CRM/Admin/Page/APIExplorer.php b/CRM/Admin/Page/APIExplorer.php

index cef15f8ad896281f4afb40f3bc536e898132cc46..31d0c048997e22a6747a7e0160dc1d2a984d2837 100644 (file)
--- a/CRM/Admin/Page/APIExplorer.php
+++ b/CRM/Admin/Page/APIExplorer.php
@@ -105,7 +105,9 @@ class CRM_Admin_Page_APIExplorer extends CRM_Core_Page {
     * Ajax callback to display code docs
     */
    public static function getDoc() {
-    if (!empty($_GET['entity']) && strpos($_GET['entity'], '.') === FALSE) {
+    // Verify the API handler we're talking to is valid.
+    $entities = civicrm_api3('Entity', 'get');
+    if (!empty($_GET['entity']) && in_array($_GET['entity'], $entities['values']) && strpos($_GET['entity'], '.') === FALSE) {
        $entity = _civicrm_api_get_camel_name($_GET['entity']);
        $action = CRM_Utils_Array::value('action', $_GET);
        $doc = self::getDocblock($entity, $action);
author	Chris Burgess <chris@giantrobot.co.nz>
	Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)
committer	Chris Burgess <chris@giantrobot.co.nz>
	Thu, 9 Jul 2015 03:17:56 +0000 (15:17 +1200)