From 4bc5c2347aacb41ac5f7c70e44f1706cb754abd4 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Wed, 13 Jul 2016 04:28:58 +0000 Subject: [PATCH] CRM-19068 Fix SQLI in parents in group.create api call --- CRM/Contact/BAO/Group.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/CRM/Contact/BAO/Group.php b/CRM/Contact/BAO/Group.php index 3a52eecb69..47a4bd8ad6 100644 --- a/CRM/Contact/BAO/Group.php +++ b/CRM/Contact/BAO/Group.php @@ -387,6 +387,22 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group { $params['modified_id'] = $cid; } + // CRM-19068. + // Validate parents parameter when creating group. + if (isset($params['parents'])) { + if (is_array($params['parents'])) { + foreach ($params['parents'] as $parent => $dc) { + if (!CRM_Utils_Type::validate('integer', $parent, FALSE)) { + unset($params['parents'][$parent]); + } + } + } + else { + if (!CRM_Utils_Type::validate('integer', $params['parents'], FALSE)) { + unset($params['parents']); + } + } + } $group = new CRM_Contact_BAO_Group(); $group->copyValues($params); //@todo very hacky fix for the fact this function wants to receive 'parents' as an array further down but @@ -444,8 +460,10 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group { if (!empty($params['parents'])) { foreach ($params['parents'] as $parentId => $dnc) { - if ($parentId && !CRM_Contact_BAO_GroupNesting::isParentChild($parentId, $group->id)) { - CRM_Contact_BAO_GroupNesting::add($parentId, $group->id); + if (CRM_Utils_Type::validate('Integer', $parentId, FALSE)) { + if ($parentId && !CRM_Contact_BAO_GroupNesting::isParentChild($parentId, $group->id)) { + CRM_Contact_BAO_GroupNesting::add($parentId, $group->id); + } } } } -- 2.25.1