From: Seamus Lee <seamuslee001@gmail.com>
Date: Mon, 24 Apr 2017 23:28:20 +0000 (+1000)
Subject: CRM-20441 Limit acceptable operators to IN only
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=117e55e9c038c82808e56d9475444d2a4bd3df66;p=civicrm-core.git

CRM-20441 Limit acceptable operators to IN only
---

diff --git a/api/v3/Activity.php b/api/v3/Activity.php
index 99df306c97..321ceeeae4 100644
--- a/api/v3/Activity.php
+++ b/api/v3/Activity.php
@@ -305,11 +305,17 @@ function civicrm_api3_activity_get($params) {
       );
     }
     $ids = array();
+    $allowed_operators = array(
+      'IN',
+    );
     if (is_array($params['id'])) {
       foreach ($params['id'] as $operator => $values) {
-        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators())) {
+        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators()) && in_array($operator, $allowed_operators)) {
           $ids = $values;
         }
+        else {
+          throw new \Civi\Api\Exception('Used an unsupported sql operator with Activity.get API');
+        }
       }
     }
     else {