[TYPO3-dev] [TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr

Steffen Müller typo3 at t3node.com
Fri Oct 2 19:24:24 CEST 2009


Hi.

On 02.10.2009 15:56 Dmitry Dulepov wrote:
> 
> It is not the first and not the last time when different security issues
> are discussed openly. Sometimes people simply do not understand that it
> is dangerous. Therefore it is much better that *anything* related to
> security goes through the security team. False alarm is better than
> missed alarm. Ever saw it from this point of view?
> 

IMHO the topic is not about a security issue of TYPO3 but a general
threat of SQL injection when processing user data in TS. The RFC never
mentioned any vulnerable extension ot core component.

The real danger is that people do not know that even TypoScript is not
100% safe. The first step to learn that is having access to related
information, the second is to have tools (intval, fullQuoteStr, ...) to
write proper code.

What could the sec-team in your opinion do about the possibility of SQL
injection in badly written TS? We are far from touchless security in v.4
and I guess this will not change without slaughter of the holy cow.
Do you blame PHP core-devs for their parser, because someone writes bad
PHP code full of SQL-injection holes?


-- 
cheers,
Steffen

TYPO3 Blog: http://www.t3node.com/
Blubber on Twitter: http://twitter.com/t3node




More information about the TYPO3-dev mailing list