Project

General

Profile

Actions

Bug #34780

closed

tslib_fe->initFEuser uses TYPO3_DB->cleanIntList with empty value

Added by Christian Finkemeier over 12 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-03-13
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

The main script index_ts.php calls the tslib_fe method initFEuser.

This method calls the TYPO3_DB->cleanIntList method with a parameter fetched by t3lib_div::_GP('pid') on line 623 (TYPO3 Version 4.5.12).

If there is no GET parameter "pid" the parameter passed to TYPO3_DB->cleanIntList is NULL but had to be a string type to call the t3lib_div::intExplode method

So every time you call the index_ts.php without the GET parameter "pid" the sys_log table will be filled with an entry like this:

"Core: Error handler (FE): PHP Warning: explode() expects parameter 2 to be string, array given in /typo3_src-4.5.12/t3lib/class.t3lib_div.php line 1946" 

"Core: Error handler (FE): PHP Warning: array_map(): Argument #2 should be an array in /typo3_src-4.5.12/t3lib/class.t3lib_div.php line 1949"

This bug could be easily solved by mapping the parameter to string like this:

typo3/sysext/cms/tslib/class.tslib_fe.php: line 623
$this->fe_user->checkPid_value = $GLOBALS['TYPO3_DB']->cleanIntList((string)t3lib_div::_GP('pid'));    // List of pid's acceptable

best regards
Christian


Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Bug #34781: t3lib_userauth->getAuthInfoArray calls TYPO3_DB->cleanIntList without string parameterClosed2012-03-13

Actions
Actions #1

Updated by Wouter Wolters almost 10 years ago

  • Status changed from New to Needs Feedback
  • Is Regression set to No

Hi,

as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (6.2.9)?

Actions #2

Updated by Christian Finkemeier almost 10 years ago

This issue should have been patched already. ;-)
But the related issue #34781 is still not solved.

In TYPO3 4.5.39 file t3lib/class.t3lib_userauth.php had to changed like this (line 1298-1299):

$authInfo['db_user']['checkPidList'] = $this->checkPid ? $this->checkPid_value : '';
$authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')' : '';

if ($this->checkPid && ($this->checkPid_value || $this->checkPid_value === '0')) {
    $authInfo['db_user']['checkPidList'] = $this->checkPid_value;
    $authInfo['db_user']['check_pid_clause'] = ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')';
} else {
    $authInfo['db_user']['checkPidList'] = '';
    $authInfo['db_user']['check_pid_clause'] = '';
}
Actions #3

Updated by Alexander Opitz almost 10 years ago

  • Assignee deleted (Christian Finkemeier)
  • Target version deleted (4.5.13)

Why do you assign 2 issues to yourself if you don't provide patches?

Actions #4

Updated by Alexander Opitz over 9 years ago

  • Status changed from Needs Feedback to Closed

No feedback within the last 90 days => closing this issue.

If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.

Actions

Also available in: Atom PDF