From: Tim Otten <totten@civicrm.org>
Date: Sat, 6 Sep 2014 06:47:51 +0000 (-0700)
Subject: CRM-15247 - CRM_Contact_Page_AJAX::autocomplete - Require a token
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=b1dba111791756fce17cb1fd893d02e4479f3ee6;p=civicrm-core.git

CRM-15247 - CRM_Contact_Page_AJAX::autocomplete - Require a token
---

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index 85c1cbf39f..ddf9e41ed5 100644
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -43,6 +43,8 @@ class CRM_Contact_Page_AJAX {
    */
   const CHECK_USERNAME_TTL = 10800; // 3hr; 3*60*60
 
+  const AUTOCOMPLETE_TTL = 21600; // 6hr; 6*60*60
+
   static function getContactList() {
     // if context is 'customfield'
     if (CRM_Utils_Array::value('context', $_GET) == 'customfield') {
@@ -260,6 +262,13 @@ class CRM_Contact_Page_AJAX {
    * Function to fetch the values
    */
   static function autocomplete() {
+    $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('cfid', 'ogid', 'sigts'));
+    if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['sigts'] + self::AUTOCOMPLETE_TTL
+      || !$signer->validate($_REQUEST['sig'], $_REQUEST)
+    ) {
+      CRM_Utils_System::civiExit();
+    }
+
     $fieldID       = CRM_Utils_Type::escape($_GET['cfid'], 'Integer');
     $optionGroupID = CRM_Utils_Type::escape($_GET['ogid'], 'Integer');
     $label         = CRM_Utils_Type::escape($_GET['s'], 'String');
diff --git a/CRM/Core/BAO/CustomField.php b/CRM/Core/BAO/CustomField.php
index 0801e2a2bc..9cde814573 100644
--- a/CRM/Core/BAO/CustomField.php
+++ b/CRM/Core/BAO/CustomField.php
@@ -1023,10 +1023,15 @@ class CRM_Core_BAO_CustomField extends CRM_Core_DAO_CustomField {
           $qf->addRule($elementName, ts('Select a valid contact for %1.', array(1 => $label)), 'validContact', $actualElementValue);
         }
         else {
-          $customUrls[$elementName] = CRM_Utils_System::url('civicrm/ajax/auto',
-            "reset=1&ogid={$field->option_group_id}&cfid={$field->id}",
-            FALSE, NULL, FALSE
+          $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('cfid','ogid','sigts'));
+          $signParams = array(
+            'reset' => 1,
+            'sigts' => CRM_Utils_Time::getTimeRaw(),
+            'ogid' => $field->option_group_id,
+            'cfid' => $field->id,
           );
+          $signParams['sig'] = $signer->sign($signParams);
+          $customUrls[$elementName] = CRM_Utils_System::url('civicrm/ajax/auto', $signParams, FALSE, NULL, FALSE);
           $qf->addRule($elementName, ts('Select a valid value for %1.', array(1 => $label)),
             'autocomplete', array(
               'fieldID' => $field->id,