From e1ffae37bdb30c117a0437d4784ec7f3c62c1bf1 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Fri, 29 Nov 2019 08:33:44 +1100
Subject: [PATCH] security/core#71 Prevent CSRF by ensuring that AJAX endpoint
 of the API Explorer can only be hit by javascript clinets

---
 CRM/Api4/Page/AJAX.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/CRM/Api4/Page/AJAX.php b/CRM/Api4/Page/AJAX.php
index e560c85cc8..8f8c7de9ae 100644
--- a/CRM/Api4/Page/AJAX.php
+++ b/CRM/Api4/Page/AJAX.php
@@ -39,6 +39,27 @@ class CRM_Api4_Page_AJAX extends CRM_Core_Page {
    * Handler for api4 ajax requests
    */
   public function run() {
+    $config = CRM_Core_Config::singleton();
+    if (!$config->debug && (!array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) ||
+        $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest"
+      )
+    ) {
+      $response = [
+        'error_code' => 401,
+        'error_message' => "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
+      ];
+      Civi::log()->debug( "SECURITY ALERT: Ajax requests can only be issued by javascript clients, eg. CRM.api4().",
+        [
+          'IP' => $_SERVER['REMOTE_ADDR'],
+          'level' => 'security',
+          'referer' => $_SERVER['HTTP_REFERER'],
+          'reason' => 'CSRF suspected',
+        ]
+      );
+      CRM_Utils_System::setHttpHeader('Content-Type', 'application/json');
+      echo json_encode($response);
+      CRM_Utils_System::civiExit();
+    }
     try {
       // Call multiple
       if (empty($this->urlPath[3])) {
-- 
2.25.1