Bug #102751: AbstractUserAuthentication: Missing condition for empty checkPid_value - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #102751

closed

AbstractUserAuthentication: Missing condition for empty checkPid_value

Added by Sven Proffe 7 months ago. Updated 8 days ago.

Status:

Closed

Priority:

Must have

Assignee:

Category:

Authentication

Target version:

Start date:

2024-01-04

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

In TYPO3\CMS\Core\Authentication\AbstractUserAuthentication, line 919 reads (as of current main):

if ($this->checkPid && $this->checkPid_value !== null) {

As $this->checkPid_value may be a string it may be empty, which is not checked. In that case TYPO3\CMS\Core\Authentication\AbstractAuthenticationService->fetchUserRecord() will end up with a corrupt SQL query containing a restriction like ... AND pid in ()...

So, I'd like to suggest to check for an empty string, as well.

if ($this->checkPid && $this->checkPid_value !== null && $this->checkPid_value !== '') {

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Bug #102751

AbstractUserAuthentication: Missing condition for empty checkPid_value

Updated by Sven Proffe 7 months ago

Updated by Gerrit Code Review 7 months ago

Updated by Gerrit Code Review 7 months ago

Updated by Gerrit Code Review 7 months ago

Updated by Gerrit Code Review 6 months ago

Updated by Oliver Bartsch 6 months ago

Updated by Benni Mack 8 days ago