[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Reinhard Führicht
rf at typoheads.at
Thu Oct 1 18:32:29 CEST 2009
JoH asenau schrieb:
>> If this is true, you should have not posted here but contacted TYPO3
>> security team. If there is a vulnerability, you made it public and
>> exploitable... :(
>
> In this case there is no vulnerability in TYPO3 unless the admin himself
> introduced it with TypoScript.
> So nothing the security team should be aware of.
>
> It's like telling people not to use GET vars without properly checking
> them - the security hole will only appear, if somebody doesn't follow the
> advice and uses
> andWhere.dataWrap = whatever={GPvar:blah}
>
> We got two options to avoid this:
> 1. always escape any property used by TS-select
> 2. introduce a stdWrap function similar to fullQuoteStr() and leave it to
> the admin if he wants to use it or not
>
> Cheers
>
> Joey
>
option 1 would be great for protection against XSS attempts. To do this
the filtering has to be done in t3lib_div::_GP.
But for prevention against SQLI, I would prefer to do this manually
because you never know how the value is being used.
Cheers,
Reinhard
--
mit freundlichen Grüßen,
Reinhard Führicht MSc
Entwickler
---------------------------------------------------
TYPOHEADS
WEB ENGINEERING
www.typoheads.at
More information about the TYPO3-team-core
mailing list