Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.4
-
Fix Version/s: 4.6.7
-
Component/s: Core CiviCRM
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
CRM/Admin/Page/APIExplorer.php uses file_get_contents() on the input $_GET. Some path manipulation checks are applied (does entity name contain a period?) but not enough.
if (!empty($_GET['entity']) && strpos($_GET['entity'], '.') === FALSE) {
$entity = _civicrm_api_get_camel_name($_GET['entity']);
$action = CRM_Utils_Array::value('action', $_GET);
$doc = self::getDocblock($entity, $action);
...
$file = "api/v3/$entity.php";
$contents = file_get_contents($file, FILE_USE_INCLUDE_PATH);
I don't see a way this could have been abused, but I don't mind adding an additional check (that the entity type is valid) if it prevents path traversal using unexpected inputs.