TYPO3 Core

I made my patch a bit better, by simulating exactly the behaviour of fullQuoteStr(). It also appeared that the query where this method is called doesn't return any results in my case. So I added a test to check whether the DB resource was false or not, to avoid generating a PHP warning.

This is all included in the second patch.

Hi Francois,

thanks for sharing this patch with us. However, since TYPO3 3.7.x is very outdated anyway, there won't be a new version with this patch.

I also don't think that it would be useful to patch rtehtmlarea directly because again this would be inviting to use an outdated product...

- michael

Michael, I understand your reasons and I assure you I don't delve into 3.7.0 for the sheer pleasure of nostalgia :-)

Version 1.1.4 of rtethmlarea is the patched version recommended in the recent security announcement. Which is why I tried to use it, to patch some client's site that wanted the security breach problem addressed, but didn't want a full migration to a more recent version of TYPO3.

A strange lapsus that the recommended version for a security fix does not work on the target platform.

I was indeed perplex. I can be wrong, but I don't see where...

OK, you are right. Sorry for closing in the first run. I have sent a mail to the security team and expect someone of them will take care of this...

I uploaded version 1.1.5 of rtehtmlarea to TER which doesn't contain the call to fullQuoteStr().
http://typo3.org/extensions/repository/view/rtehtmlarea/1.1.5/

Is this problem resolved?

May it be closed?

Yes it is fixed, you can close the issue. Sorry for answering late I didn't receive any e-mail about your latest note.