From: Tim Otten Date: Sat, 11 Dec 2021 06:12:30 +0000 (-0800) Subject: (REF) CRM_Utils_REST - Extract method `isWebServiceRequest()` X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=12739440a07a4e059d074ae9ab22ddf66a298665;p=civicrm-core.git (REF) CRM_Utils_REST - Extract method `isWebServiceRequest()` --- diff --git a/CRM/Utils/REST.php b/CRM/Utils/REST.php index 0604758d1a..bf8a0104c0 100644 --- a/CRM/Utils/REST.php +++ b/CRM/Utils/REST.php @@ -399,9 +399,7 @@ class CRM_Utils_REST { unset($param['q']); $smarty->assign_by_ref("request", $param); - if (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) || - $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" - ) { + if (!self::isWebServiceRequest()) { $smarty->assign('tplFile', $tpl); $config = CRM_Core_Config::singleton(); @@ -434,10 +432,7 @@ class CRM_Utils_REST { require_once 'api/v3/utils.php'; $config = CRM_Core_Config::singleton(); - if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) || - $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" - ) - ) { + if (!$config->debug && !self::isWebServiceRequest()) { $error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().", [ 'IP' => $_SERVER['REMOTE_ADDR'], @@ -499,11 +494,7 @@ class CRM_Utils_REST { // restrict calls to this etc // the request has to be sent by an ajax call. First line of protection against csrf $config = CRM_Core_Config::singleton(); - if (!$config->debug && - (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) || - $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" - ) - ) { + if (!$config->debug && !self::isWebServiceRequest()) { require_once 'api/v3/utils.php'; $error = civicrm_api3_create_error("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api3().", [ @@ -636,4 +627,15 @@ class CRM_Utils_REST { } } + /** + * Does this request appear to be a web-service request? + * + * @return bool + * TRUE if the current request appears to be web-service request (ie AJAX). + * FALSE if the current request appears to be a standalone browser page-view. + */ + protected static function isWebServiceRequest(): bool { + return array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest'; + } + }