Bug #34780
closedtslib_fe->initFEuser uses TYPO3_DB->cleanIntList with empty value
0%
Description
The main script index_ts.php calls the tslib_fe method initFEuser.
This method calls the TYPO3_DB->cleanIntList method with a parameter fetched by t3lib_div::_GP('pid') on line 623 (TYPO3 Version 4.5.12).
If there is no GET parameter "pid" the parameter passed to TYPO3_DB->cleanIntList is NULL but had to be a string type to call the t3lib_div::intExplode method
So every time you call the index_ts.php without the GET parameter "pid" the sys_log table will be filled with an entry like this:
"Core: Error handler (FE): PHP Warning: explode() expects parameter 2 to be string, array given in /typo3_src-4.5.12/t3lib/class.t3lib_div.php line 1946" "Core: Error handler (FE): PHP Warning: array_map(): Argument #2 should be an array in /typo3_src-4.5.12/t3lib/class.t3lib_div.php line 1949"
This bug could be easily solved by mapping the parameter to string like this:
typo3/sysext/cms/tslib/class.tslib_fe.php: line 623 $this->fe_user->checkPid_value = $GLOBALS['TYPO3_DB']->cleanIntList((string)t3lib_div::_GP('pid')); // List of pid's acceptable
best regards
Christian
Updated by Wouter Wolters almost 10 years ago
- Status changed from New to Needs Feedback
- Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (6.2.9)?
Updated by Christian Finkemeier almost 10 years ago
This issue should have been patched already. ;-)
But the related issue #34781 is still not solved.
In TYPO3 4.5.39 file t3lib/class.t3lib_userauth.php had to changed like this (line 1298-1299):
$authInfo['db_user']['checkPidList'] = $this->checkPid ? $this->checkPid_value : ''; $authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')' : '';
if ($this->checkPid && ($this->checkPid_value || $this->checkPid_value === '0')) { $authInfo['db_user']['checkPidList'] = $this->checkPid_value; $authInfo['db_user']['check_pid_clause'] = ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')'; } else { $authInfo['db_user']['checkPidList'] = ''; $authInfo['db_user']['check_pid_clause'] = ''; }
Updated by Alexander Opitz almost 10 years ago
- Assignee deleted (
Christian Finkemeier) - Target version deleted (
4.5.13)
Why do you assign 2 issues to yourself if you don't provide patches?
Updated by Alexander Opitz over 9 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this issue.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.