[TYPO3-core] RFC #11586: Problem with fix of the SQL injection bug
Ernesto Baschny [cron IT]
ernst at cron-it.de
Fri Oct 23 11:06:31 CEST 2009
Ernesto Baschny [cron IT] schrieb:
> Hi Xavier,
>
> Xavier Perseguers wrote:
>
>> This is a SVN follow-up patch request.
>>
>> I cannot find this RFC in this mailing list and associated bug in
>> bugtracker has its access being denied.
>>
>> As found by Simon Browning in dev list with thread "4.3 beta 2 - problem
>> with Front end Editing". The change introduced a bug by introducing new
>> class member TSFE_EDIT defined as protected whereas a consequent bunch
>> of code in Core (including both old and new feedit) used this variable
>> as public.
>>
>> The changeset created this member which was previously implicitly defined.
>>
>> Problem: field was made protected whereas it should be made public if
>> one does not want to go through all Core to use a getter instead.
>>
>> Might apply to other branches as well (don't know, cannot access
>> bugtracker).
>
> True, this is a problem introduced by the fix. The issue in the bug
> tracker was private while developing the solution for security reasons.
> Since the patch is in and the release is made, I made the issue public,
> since there are no secrets inside.
>
> But in reality the addition of the new member variable TSFE_EDIT
> "slipped through", I haven't thought about this consequence. Please open
> a new bug report for beta2 with the real problem description. Adding a
> reference to #11586 as origin of the problem.
>
> It only affects trunk and only TemplaVoila with FE-Editing-Advanced
> because we have in
> feeditadvanced/templavoila/class.tx_templavoila_frontendedit.php:
>
> tx_templavoila_frontendedit extends t3lib_frontendedit
>
> which then needs access to this property.
My mistake, it also affects regular feediting, because that property is
accessed through:
$TSFE_EDIT = $GLOBALS['BE_USER']->frontendEdit->TSFE_EDIT;
by feedit and feeditadvanced. I would add a new method to the
frontendEdit API to be able to retrieve this property instead of
accessing it directly.
Xavier, if you can, please open the new issue anyway.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list