Bug #22672
closed
Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted
0%
Description
building the foreign_table_where string has an feature to replace an marker with the value of an other field of the current row.
t3lib_TCEforms::foreignTable() calls
t3lib_BEfunc::exec_foreign_table_where_query
where you could find the following snippet
---------------------
$foreign_table = $fieldValue['config'][$prefix.'foreign_table'];
$rootLevel = $TCA[$foreign_table]['ctrl']['rootLevel'];
$fTWHERE = $fieldValue['config'][$prefix.'foreign_table_where'];
if (strstr($fTWHERE, '###REC_FIELD_')) {
$fTWHERE_parts = explode('###REC_FIELD_', $fTWHERE);
while(list($kk, $vv) = each($fTWHERE_parts)) {
if ($kk) {
$fTWHERE_subpart = explode('###', $vv, 2);
$fTWHERE_parts[$kk] = $TSconfig['_THIS_ROW'][$fTWHERE_subpart0].$fTWHERE_subpart1; // [*]
}
}
$fTWHERE = implode('', $fTWHERE_parts);
}
Line [*] sould replaced by
$fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->quoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart0], $foreign_table) . $fTWHERE_subpart1;
otherwise it possilbe that an injection string, placed by an BEuser in the value of field $fTWHERE_subpart0, will be executed.
OTRS: 2010051710000011
Reporter: Marc Bastian Heinrichs
(issue imported from #M14412)
Files
Updated by 
Updated by 
Updated by 
Updated by