[TYPO3-core] RFC #11586: Problem with fix of the SQL injection bug
Ernesto Baschny [cron IT]
ernst at cron-it.de
Fri Oct 23 10:57:27 CEST 2009
Hi Xavier,
Xavier Perseguers wrote:
> This is a SVN follow-up patch request.
>
> I cannot find this RFC in this mailing list and associated bug in
> bugtracker has its access being denied.
>
> As found by Simon Browning in dev list with thread "4.3 beta 2 - problem
> with Front end Editing". The change introduced a bug by introducing new
> class member TSFE_EDIT defined as protected whereas a consequent bunch
> of code in Core (including both old and new feedit) used this variable
> as public.
>
> The changeset created this member which was previously implicitly defined.
>
> Problem: field was made protected whereas it should be made public if
> one does not want to go through all Core to use a getter instead.
>
> Might apply to other branches as well (don't know, cannot access
> bugtracker).
True, this is a problem introduced by the fix. The issue in the bug
tracker was private while developing the solution for security reasons.
Since the patch is in and the release is made, I made the issue public,
since there are no secrets inside.
But in reality the addition of the new member variable TSFE_EDIT
"slipped through", I haven't thought about this consequence. Please open
a new bug report for beta2 with the real problem description. Adding a
reference to #11586 as origin of the problem.
It only affects trunk and only TemplaVoila with FE-Editing-Advanced
because we have in
feeditadvanced/templavoila/class.tx_templavoila_frontendedit.php:
tx_templavoila_frontendedit extends t3lib_frontendedit
which then needs access to this property.
So as soon as we have the new issue, I will +1 your patch for trunk only.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list