Bug #31278: Missing quoting in t3lib_extFileFunc - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #31278

closed

Missing quoting in t3lib_extFileFunc

Added by Andreas Wolf about 13 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2011-10-25

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

4.6

PHP Version:

Tags:

scheduled

Complexity:

Is Regression:

Sprint Focus:

Description

During a FAL code sprint, we discovered that t3lib_extFileFunc does not escape file names when using them for exec calls. This could possibly lead to unwanted side-effects.

See e.g. this snippet from func_copy():

if ($this->PHPFileFunctions) {
    copy($theFile, $theDestFile);
} else {
    $cmd = 'cp "' . $theFile . '" "' . $theDestFile . '"';
    t3lib_utility_Command::exec($cmd);
}

$theFile and $theDestFile are not escaped anywhere; from what I read in t3lib_utility_Command::imageMagickCommand(), I guess we would have to use escapeshellarg() here.

Files

31278.diff (2.31 KB) 31278.diff

Andreas Wolf, 2011-10-25 13:43

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #31278

Missing quoting in t3lib_extFileFunc

Updated by Andreas Wolf about 13 years ago

Updated by Dmitry Dulepov about 13 years ago

Updated by Helmut Hummel about 13 years ago

Updated by Gerrit Code Review almost 13 years ago

Updated by Steffen Gebert almost 13 years ago

Updated by Dmitry Dulepov over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Dmitry Dulepov over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Helmut Hummel over 12 years ago

Updated by Dmitry Dulepov over 12 years ago

Updated by Gerrit Code Review over 12 years ago

Updated by Helmut Hummel over 12 years ago

Updated by Benni Mack about 6 years ago