Bug #102751
closedAbstractUserAuthentication: Missing condition for empty checkPid_value
100%
Description
In TYPO3\CMS\Core\Authentication\AbstractUserAuthentication, line 919 reads (as of current main):
if ($this->checkPid && $this->checkPid_value !== null) {
As $this->checkPid_value may be a string it may be empty, which is not checked. In that case TYPO3\CMS\Core\Authentication\AbstractAuthenticationService->fetchUserRecord() will end up with a corrupt SQL query containing a restriction like ... AND pid in ()...
So, I'd like to suggest to check for an empty string, as well.
if ($this->checkPid && $this->checkPid_value !== null && $this->checkPid_value !== '') {
Updated by Gerrit Code Review 11 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82309
Updated by Gerrit Code Review 11 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82309
Updated by Gerrit Code Review 11 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82309
Updated by Gerrit Code Review 11 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82372
Updated by Oliver Bartsch 11 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset db53130a16aef18f572386c3ce66e0bf7026683e.