From 4f7a32d8359ba09a46f7bece1d84ec4720d95657 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 8 Jan 2016 15:19:49 -0500
Subject: [PATCH] CRM-17795 - Enforce maximum join depth

---
 Civi/API/SelectQuery.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Civi/API/SelectQuery.php b/Civi/API/SelectQuery.php
index d6ad183b7f..3652c93865 100644
--- a/Civi/API/SelectQuery.php
+++ b/Civi/API/SelectQuery.php
@@ -360,6 +360,10 @@ class SelectQuery {
         $fkField = &$this->apiFieldSpec[$fk];
         continue;
       }
+      // More than 4 joins deep seems excessive - DOS attack?
+      if ($depth > 4) {
+        throw new \API_Exception("Maximum number of joins exceeded in api.{$this->entity}.get");
+      }
       if (!isset($fkField['FKApiName']) && !isset($fkField['FKClassName'])) {
         return NULL;
       }
-- 
2.25.1