Bug #24278
closed
SQL injection problem in class.db_list.inc (class recordList)
0%
Description
recordList::start() uses a non-sanatized version of the parameter $id for inserting it into a where clause.
Solution: use the sanatized version which is already available in the function.
It's present in all TYPO3 versions in SVN (starting with 3.6.0)
I've only attached a patch for trunk; the code is identical in all previous versions and the fix consists of adding 6 characters.
See Ticket#2010120110000018
OTRS 2010120110000018
(issue imported from #M16653)
Files
Updated by 
Updated by
Updated by Oliver Hader over 13 years ago
I resolved the call to t3lib_treeView::getDataInit() and find $GLOBALS['TYPO3_DB']->fullQuoteStr($parentId, $this->table) (where $parentId uses the $id) - so it looks like this is fine in the Core. Using $this->id which was processed by intval() of course does not hurt.
Updated by Oliver Hader over 13 years ago
Ah... its added to $tree->ids unsanitized and used with "pid IN (...ids...)"
I think it's usefull to add an additional sanitizing before the array is used by passing it through t3lib_div::cleanIntArray()...
Updated by