[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr

JoH asenau info at cybercraft.de
Thu Oct 1 18:21:11 CEST 2009


> If this is true, you should have not posted here but contacted TYPO3
> security team. If there is a vulnerability, you made it public and
> exploitable... :(

In this case there is no vulnerability in TYPO3 unless the admin himself
introduced it with TypoScript.
So nothing the security team should be aware of.

It's like telling people not to use GET vars without properly checking
them - the security hole will only appear, if somebody doesn't follow the
advice and uses
andWhere.dataWrap = whatever={GPvar:blah}

We got two options to avoid this:
1. always escape any property used by TS-select
2. introduce a stdWrap function similar to fullQuoteStr() and leave it to
the admin if he wants to use it or not

Cheers

Joey

-- 
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Xing: http://contact.cybercraft.de
Twitter: http://twitter.com/bunnyfield
TYPO3 cookbook (2nd edition): http://www.typo3experts.com
TYPO3 workshops: http://workshops.eqony.com




More information about the TYPO3-team-core mailing list