From: Chris Burgess <chris@giantrobot.co.nz>
Date: Thu, 9 Jul 2015 03:17:56 +0000 (+1200)
Subject: CRM-16806: Validate supplied entity type.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e80f05b26712d2aafa59be135f1677055f1fe611;p=civicrm-core.git

CRM-16806: Validate supplied entity type.
---

diff --git a/CRM/Admin/Page/APIExplorer.php b/CRM/Admin/Page/APIExplorer.php
index cef15f8ad8..31d0c04899 100644
--- a/CRM/Admin/Page/APIExplorer.php
+++ b/CRM/Admin/Page/APIExplorer.php
@@ -105,7 +105,9 @@ class CRM_Admin_Page_APIExplorer extends CRM_Core_Page {
    * Ajax callback to display code docs
    */
   public static function getDoc() {
-    if (!empty($_GET['entity']) && strpos($_GET['entity'], '.') === FALSE) {
+    // Verify the API handler we're talking to is valid.
+    $entities = civicrm_api3('Entity', 'get');
+    if (!empty($_GET['entity']) && in_array($_GET['entity'], $entities['values']) && strpos($_GET['entity'], '.') === FALSE) {
       $entity = _civicrm_api_get_camel_name($_GET['entity']);
       $action = CRM_Utils_Array::value('action', $_GET);
       $doc = self::getDocblock($entity, $action);