[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Reinhard Führicht
rf at typoheads.at
Thu Oct 1 18:38:20 CEST 2009
Reinhard Führicht schrieb:
> JoH asenau schrieb:
>>> If this is true, you should have not posted here but contacted TYPO3
>>> security team. If there is a vulnerability, you made it public and
>>> exploitable... :(
>>
>> In this case there is no vulnerability in TYPO3 unless the admin himself
>> introduced it with TypoScript.
>> So nothing the security team should be aware of.
>>
>> It's like telling people not to use GET vars without properly checking
>> them - the security hole will only appear, if somebody doesn't follow the
>> advice and uses
>> andWhere.dataWrap = whatever={GPvar:blah}
>>
>> We got two options to avoid this:
>> 1. always escape any property used by TS-select
>> 2. introduce a stdWrap function similar to fullQuoteStr() and leave it to
>> the admin if he wants to use it or not
>>
>> Cheers
>>
>> Joey
>>
>
>
> option 1 would be great for protection against XSS attempts. To do this
> the filtering has to be done in t3lib_div::_GP.
>
> But for prevention against SQLI, I would prefer to do this manually
> because you never know how the value is being used.
>
> Cheers,
>
> Reinhard
>
Addition:
My comment is only valid if the protection is done for ANY use of GPvar:xyz.
If it is only done for select the escaping can be done always.
--
mit freundlichen Grüßen,
Reinhard Führicht MSc
Entwickler
---------------------------------------------------
TYPOHEADS
WEB ENGINEERING
www.typoheads.at
More information about the TYPO3-team-core
mailing list