From 2e40130b5a0bcafc74d67fd1d310437ef9caf22b Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Fri, 29 Nov 2019 18:46:51 +1100
Subject: [PATCH] Also ensure that updates etc cannot be done via get only via
 post as per APIv3

---
 CRM/Api4/Page/AJAX.php       | 21 ++++++++++++++++++++-
 ang/api4Explorer/Explorer.js |  4 ++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/CRM/Api4/Page/AJAX.php b/CRM/Api4/Page/AJAX.php
index 5ec8c56773..f40d0dbd58 100644
--- a/CRM/Api4/Page/AJAX.php
+++ b/CRM/Api4/Page/AJAX.php
@@ -32,7 +32,7 @@ class CRM_Api4_Page_AJAX extends CRM_Core_Page {
         'error_code' => 401,
         'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
       ];
-      Civi::log()->debug( "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
+      Civi::log()->debug("SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
         [
           'IP' => $_SERVER['REMOTE_ADDR'],
           'level' => 'security',
@@ -44,6 +44,25 @@ class CRM_Api4_Page_AJAX extends CRM_Core_Page {
       echo json_encode($response);
       CRM_Utils_System::civiExit();
     }
+    if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
+      strtolower(substr($this->urlPath[4], 0, 3)) != 'get' &&
+      strtolower($this->urlPath[4] != 'check')) {
+      $response = [
+        'error_code' => 400,
+        'error_message' => "SECURITY: All requests that modify the database must be http POST, not GET.",
+      ];
+      Civi::log()->debug("SECURITY: All requests that modify the database must be http POST, not GET.",
+        [
+          'IP' => $_SERVER['REMOTE_ADDR'],
+          'level' => 'security',
+          'referer' => $_SERVER['HTTP_REFERER'],
+          'reason' => 'Destructive HTTP GET',
+        ]
+      );
+      CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
+      echo json_encode($response);
+      CRM_Utils_System::civiExit();
+    }
     try {
       // Call multiple
       if (empty($this->urlPath[3])) {
diff --git a/ang/api4Explorer/Explorer.js b/ang/api4Explorer/Explorer.js
index a626e572dc..15245f4a2c 100644
--- a/ang/api4Explorer/Explorer.js
+++ b/ang/api4Explorer/Explorer.js
@@ -472,10 +472,10 @@
     $scope.execute = function() {
       $scope.status = 'warning';
       $scope.loading = true;
-      $http.get(CRM.url('civicrm/ajax/api4/' + $scope.entity + '/' + $scope.action, {
+      $http.post(CRM.url('civicrm/ajax/api4/' + $scope.entity + '/' + $scope.action, {
         params: angular.toJson(getParams()),
         index: $scope.index
-      }), {
+      }), null, {
         headers: {
           'X-Requested-With': 'XMLHttpRequest'
         }
-- 
2.25.1