Actions
Bug #34781
closed
t3lib_userauth->getAuthInfoArray calls TYPO3_DB->cleanIntList without string parameter
Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-03-13
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:
Description
The same problem as i described in this bug: http://forge.typo3.org/issues/34780
The t3lib_userauth->getAuthInfoArray calls TYPO3_DB->cleanIntList without parameter being string...
Should be updated to something like this:
t3lib/class.t3lib_userauth.php: line 1282
$authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN ('.$GLOBALS['TYPO3_DB']->cleanIntList((string)$authInfo['db_user']['checkPidList']).')' : '';
Updated by
Updated by Christian Finkemeier over 9 years ago
This issue is not patched already in TYPO3 4.5.39 (i don't know, if it has been patched in newer major versions).
File t3lib/class.t3lib_userauth.php had to be changed like this (line 1298-1299):
$authInfo['db_user']['checkPidList'] = $this->checkPid ? $this->checkPid_value : '';
$authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')' : '';
if ($this->checkPid && ($this->checkPid_value || $this->checkPid_value === '0')) {
$authInfo['db_user']['checkPidList'] = $this->checkPid_value;
$authInfo['db_user']['check_pid_clause'] = ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')';
} else {
$authInfo['db_user']['checkPidList'] = '';
$authInfo['db_user']['check_pid_clause'] = '';
}
Updated by Alexander Opitz over 9 years ago
- Status changed from Accepted to Closed
- Assignee deleted (
Christian Finkemeier) - Target version deleted (
4.5.13) - Is Regression set to No
Closing as duplicate of #34780
Actions