From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 8 Jan 2016 20:19:49 +0000 (-0500)
Subject: CRM-17795 - Enforce maximum join depth
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=4f7a32d8359ba09a46f7bece1d84ec4720d95657;p=civicrm-core.git

CRM-17795 - Enforce maximum join depth
---

diff --git a/Civi/API/SelectQuery.php b/Civi/API/SelectQuery.php
index d6ad183b7f..3652c93865 100644
--- a/Civi/API/SelectQuery.php
+++ b/Civi/API/SelectQuery.php
@@ -360,6 +360,10 @@ class SelectQuery {
         $fkField = &$this->apiFieldSpec[$fk];
         continue;
       }
+      // More than 4 joins deep seems excessive - DOS attack?
+      if ($depth > 4) {
+        throw new \API_Exception("Maximum number of joins exceeded in api.{$this->entity}.get");
+      }
       if (!isset($fkField['FKApiName']) && !isset($fkField['FKClassName'])) {
         return NULL;
       }