Index: tests/t3lib/t3lib_frontendedit_testcase.php
===================================================================
--- tests/t3lib/t3lib_frontendedit_testcase.php	(revision 0)
+++ tests/t3lib/t3lib_frontendedit_testcase.php	(revision 0)
@@ -0,0 +1,85 @@
+<?php
+/***************************************************************
+* Copyright notice
+*
+* (c) 2009 Oliver Klee (typo3-coding@oliverklee.de)
+* All rights reserved
+*
+* This script is part of the TYPO3 project. The TYPO3 project is
+* free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* The GNU General Public License can be found at
+* http://www.gnu.org/copyleft/gpl.html.
+*
+* This script is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* This copyright notice MUST APPEAR in all copies of the script!
+***************************************************************/
+
+/**
+ * Testcase for the t3lib_frontendedit class in the TYPO3 core.
+ *
+ * @package TYPO3
+ * @subpackage t3lib
+ *
+ * @author Oliver Klee <typo3-coding@oliverklee.de>
+ */
+class t3lib_frontendedit_testcase extends tx_phpunit_testcase {
+	/**
+	 * a backup of the currently logged-in BE user
+	 *
+	 * @var t3lib_beUserAuth
+	 */
+	private $backEndUserBackup;
+
+	public function setUp() {
+		$this->backEndUserBackup = $GLOBALS['BE_USER'];
+	}
+
+	public function tearDown() {
+		unset($GLOBALS['_POST']['TSFE_EDIT'], $GLOBALS['TSFE']);
+		$GLOBALS['BE_USER'] = $this->backEndUserBackup;
+	}
+
+	/**
+	 * @test
+	 */
+	public function editActionSafeguardsUidParameterForUpCommand() {
+		$backEndUser = $this->getMock(
+			't3lib_beUserAuth', array('isFrontendEditingActive')
+		);
+		$backEndUser->expects($this->any())->method('isFrontendEditingActive')
+			->will($this->returnValue(true));
+		$GLOBALS['BE_USER'] = $backEndUser;
+
+		$frontEnd = $this->getMock('tslib_fe', array(), array(), '', false);
+		$GLOBALS['TSFE'] = $frontEnd;
+
+		$GLOBALS['_POST']['TSFE_EDIT'] = array(
+			'record' => 'tt_content:42 hello world',
+			'cmd' => 'up',
+		);
+
+		/** @var t3lib_frontendedit */
+		$fixture = $this->getMock(
+			't3lib_frontendedit',
+			array(
+				'doClose', 'DoDelete', 'doDown', 'doHide', 'doMove', 'doSave',
+				'doSaveAndClose', 'doUnhide', 'doUp', 'isEditAction',
+			)
+		);
+		$fixture->expects($this->any())->method('isEditAction')
+			->will($this->returnValue(true));
+		$fixture->expects($this->atLeastOnce())->method('doUp')
+			->with('tt_content', 42);
+
+		$fixture->initConfigOptions();
+	}
+}
+?>
\ No newline at end of file
Index: t3lib/class.t3lib_frontendedit.php
===================================================================
--- t3lib/class.t3lib_frontendedit.php	(revision 5972)
+++ t3lib/class.t3lib_frontendedit.php	(working copy)
@@ -36,6 +36,12 @@
  * @subpackage t3lib
  */
 class t3lib_frontendedit {
+	/**
+	 * GET/POST parameters for the FE editing
+	 *
+	 * @var array
+	 */
+	protected $TSFE_EDIT;
 
 	/**
 	 * TCEmain object.
@@ -209,6 +215,7 @@
 	public function editAction() {
 			// Commands:
 		list($table, $uid) = explode(':', $this->TSFE_EDIT['record']);
+		$uid = intval($uid);
 		$cmd = $this->TSFE_EDIT['cmd'];
 
 			// Look for some TSFE_EDIT data that indicates we should save.
@@ -441,7 +448,7 @@
 		$this->doSave($table, $uid);
 	}
 
-	
+
 	/**
 	 * Stub for closing a record. No real functionality needed since content
 	 * element rendering will take care of everything.