Project

General

Profile

Actions

Bug #22672

closed

Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted

Added by Helmut Hummel over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2010-05-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

building the foreign_table_where string has an feature to replace an marker with the value of an other field of the current row.

t3lib_TCEforms::foreignTable() calls
t3lib_BEfunc::exec_foreign_table_where_query
where you could find the following snippet
---------------------
$foreign_table = $fieldValue['config'][$prefix.'foreign_table'];
$rootLevel = $TCA[$foreign_table]['ctrl']['rootLevel'];

$fTWHERE = $fieldValue['config'][$prefix.'foreign_table_where'];
if (strstr($fTWHERE, '###REC_FIELD_')) {
$fTWHERE_parts = explode('###REC_FIELD_', $fTWHERE);
while(list($kk, $vv) = each($fTWHERE_parts)) {
if ($kk) {
$fTWHERE_subpart = explode('###', $vv, 2);
$fTWHERE_parts[$kk] = $TSconfig['_THIS_ROW'][$fTWHERE_subpart0].$fTWHERE_subpart1; // [*]
}
}
$fTWHERE = implode('', $fTWHERE_parts);
}

Line [*] sould replaced by

$fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->quoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart0], $foreign_table) . $fTWHERE_subpart1;

otherwise it possilbe that an injection string, placed by an BEuser in the value of field $fTWHERE_subpart0, will be executed.

OTRS: 2010051710000011
Reporter: Marc Bastian Heinrichs

(issue imported from #M14412)


Files

14412.diff (632 Bytes) 14412.diff Administrator Admin, 2010-05-18 00:25
14412-trunk.diff (626 Bytes) 14412-trunk.diff Administrator Admin, 2010-05-18 00:38
14412-4_1.diff (624 Bytes) 14412-4_1.diff Administrator Admin, 2010-05-18 00:38
14412_v2.diff (886 Bytes) 14412_v2.diff Administrator Admin, 2010-06-30 15:13
14412_41.patch (882 Bytes) 14412_41.patch Administrator Admin, 2010-07-28 01:26
Actions #1

Updated by Xavier Perseguers over 14 years ago

v2 takes care of queries having single quotes around the ###REC_FIELD... marker (templavoila for instance) or not.

Actions #2

Updated by Oliver Hader over 14 years ago

Added patch for TYPO3_4-1 branch...

Actions #3

Updated by Oliver Hader over 14 years ago

Committed to SVN
  • TYPO3_4-1 (rev. 8412)
  • TYPO3_4-2 (rev. 8413)
  • TYPO3_4-3 (rev. 8414)
  • TYPO3_4-4 (rev. 8415)
  • Trunk (rev. 8416)
Actions #4

Updated by Ingo Renner over 14 years ago

released in
4.1.15
4.2.14
4.3.5
4.4.2

Actions #5

Updated by Helmut Hummel over 14 years ago

reopend to make it non private

Actions

Also available in: Atom PDF