Actions
Bug #34781
closed
t3lib_userauth->getAuthInfoArray calls TYPO3_DB->cleanIntList without string parameter
Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-03-13
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:
Description
The same problem as i described in this bug: http://forge.typo3.org/issues/34780
The t3lib_userauth->getAuthInfoArray calls TYPO3_DB->cleanIntList without parameter being string...
Should be updated to something like this:
t3lib/class.t3lib_userauth.php: line 1282
$authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN ('.$GLOBALS['TYPO3_DB']->cleanIntList((string)$authInfo['db_user']['checkPidList']).')' : '';
Updated by
Updated by Christian Finkemeier almost 10 years ago
This issue is not patched already in TYPO3 4.5.39 (i don't know, if it has been patched in newer major versions).
File t3lib/class.t3lib_userauth.php had to be changed like this (line 1298-1299):
$authInfo['db_user']['checkPidList'] = $this->checkPid ? $this->checkPid_value : '';
$authInfo['db_user']['check_pid_clause'] = $this->checkPid ? ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')' : '';
if ($this->checkPid && ($this->checkPid_value || $this->checkPid_value === '0')) {
$authInfo['db_user']['checkPidList'] = $this->checkPid_value;
$authInfo['db_user']['check_pid_clause'] = ' AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($authInfo['db_user']['checkPidList']) . ')';
} else {
$authInfo['db_user']['checkPidList'] = '';
$authInfo['db_user']['check_pid_clause'] = '';
}
Updated by Alexander Opitz almost 10 years ago
- Status changed from Accepted to Closed
- Assignee deleted (
Christian Finkemeier) - Target version deleted (
4.5.13) - Is Regression set to No
Closing as duplicate of #34780
Actions