Bug #31278: Missing quoting in t3lib_extFileFunc - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #31278

closed

Missing quoting in t3lib_extFileFunc

Added by Andreas Wolf over 12 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2011-10-25

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

4.6

PHP Version:

Tags:

scheduled

Complexity:

Is Regression:

Sprint Focus:

Description

During a FAL code sprint, we discovered that t3lib_extFileFunc does not escape file names when using them for exec calls. This could possibly lead to unwanted side-effects.

See e.g. this snippet from func_copy():

if ($this->PHPFileFunctions) {
    copy($theFile, $theDestFile);
} else {
    $cmd = 'cp "' . $theFile . '" "' . $theDestFile . '"';
    t3lib_utility_Command::exec($cmd);
}

$theFile and $theDestFile are not escaped anywhere; from what I read in t3lib_utility_Command::imageMagickCommand(), I guess we would have to use escapeshellarg() here.

Files

31278.diff (2.31 KB) 31278.diff

Andreas Wolf, 2011-10-25 13:43

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #31278

Missing quoting in t3lib_extFileFunc

Updated by Andreas Wolf over 12 years ago

Updated by Dmitry Dulepov over 12 years ago

Updated by Helmut Hummel over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Steffen Gebert over 12 years ago

Updated by Dmitry Dulepov about 12 years ago

Updated by Gerrit Code Review about 12 years ago

Updated by Dmitry Dulepov about 12 years ago

Updated by Gerrit Code Review almost 12 years ago

Updated by Gerrit Code Review almost 12 years ago

Updated by Helmut Hummel over 11 years ago

Updated by Dmitry Dulepov over 11 years ago

Updated by Gerrit Code Review over 11 years ago

Updated by Helmut Hummel over 11 years ago

Updated by Benni Mack over 5 years ago