[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Martin Kutschker
masi-no at spam-typo3.org
Thu Oct 1 22:06:40 CEST 2009
Reinhard Führicht schrieb:
> JoH asenau schrieb:
>>> If this is true, you should have not posted here but contacted TYPO3
>>> security team. If there is a vulnerability, you made it public and
>>> exploitable... :(
>>
>> In this case there is no vulnerability in TYPO3 unless the admin himself
>> introduced it with TypoScript.
>> So nothing the security team should be aware of.
>>
>> It's like telling people not to use GET vars without properly checking
>> them - the security hole will only appear, if somebody doesn't follow the
>> advice and uses
>> andWhere.dataWrap = whatever={GPvar:blah}
>>
>> We got two options to avoid this:
>> 1. always escape any property used by TS-select
>> 2. introduce a stdWrap function similar to fullQuoteStr() and leave it to
>> the admin if he wants to use it or not
>>
>> Cheers
>>
>> Joey
>>
>
>
> option 1 would be great for protection against XSS attempts. To do this
> the filtering has to be done in t3lib_div::_GP.
An disables any way to setup fixed values via TS?!?
Masi
More information about the TYPO3-team-core
mailing list