Project

General

Profile

Actions
Copy link

Bug #24278

closed

SQL injection problem in class.db_list.inc (class recordList)

Added by Jigal van Hemert almost 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
-
Target version:
-
Start date:
2010-12-02
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.6
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

recordList::start() uses a non-sanatized version of the parameter $id for inserting it into a where clause.

Solution: use the sanatized version which is already available in the function.

It's present in all TYPO3 versions in SVN (starting with 3.6.0)

I've only attached a patch for trunk; the code is identical in all previous versions and the fix consists of adding 6 characters.

See Ticket#2010120110000018

OTRS 2010120110000018
(issue imported from #M16653)

Files

Download all files
2010120110000018.patch (484 Bytes) 2010120110000018.patch Administrator Admin, 2010-12-02 18:47
16653_42.patch (616 Bytes) 16653_42.patch Administrator Admin, 2010-12-09 21:34
16653_43.patch (616 Bytes) 16653_43.patch Administrator Admin, 2010-12-09 21:34
16653_44.patch (616 Bytes) 16653_44.patch Administrator Admin, 2010-12-09 21:34
16653_45.patch (616 Bytes) 16653_45.patch Administrator Admin, 2010-12-09 21:34
Actions
Copy link

Also available in: Atom PDF