Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 4.3.10, 4.7.13
-
Fix Version/s: None
-
Component/s: CiviCRM API
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
-
Verified?:No
Description
(Originally reported by "bara" on "dev-post-release".)
Multiple API's fail if you attempt to use any data that contains the text "select" or "SELECT", e.g. "cv api contact.get email=someone@select.org" – which is exactly api/v3/utils.php says to do: https://github.com/civicrm/civicrm-core/blob/4.7.13/api/v3/utils.php#L915
The issue does not affect all API's – only API's which have TRUEish $queryObject.
It appears to stem from CRM-13550, although the record is a bit inscrutable. It sounds like a security issue but lacks examples of problematic code. (When we first started formalizing our security processes, there was no way to privately discuss them in JIRA, so discussions tended to be opaque.) The issue seems to have been treated as a fairly broad one with multiple patches, most notably https://github.com/CiviCRM42/civicrm42-core/pull/45/files and https://github.com/civicrm/civicrm-core/commit/ba93e7ad94552e5f0e3384289dac4f4c19f970ca
My gut says the conditional here is superfluous, but assigning to the original authors in case they have a better understanding.