From 117e55e9c038c82808e56d9475444d2a4bd3df66 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 25 Apr 2017 09:28:20 +1000
Subject: [PATCH] CRM-20441 Limit acceptable operators to IN only

---
 api/v3/Activity.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/api/v3/Activity.php b/api/v3/Activity.php
index 99df306c97..321ceeeae4 100644
--- a/api/v3/Activity.php
+++ b/api/v3/Activity.php
@@ -305,11 +305,17 @@ function civicrm_api3_activity_get($params) {
       );
     }
     $ids = array();
+    $allowed_operators = array(
+      'IN',
+    );
     if (is_array($params['id'])) {
       foreach ($params['id'] as $operator => $values) {
-        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators())) {
+        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators()) && in_array($operator, $allowed_operators)) {
           $ids = $values;
         }
+        else {
+          throw new \Civi\Api\Exception('Used an unsupported sql operator with Activity.get API');
+        }
       }
     }
     else {
-- 
2.25.1