[TYPO3-core] FYI: Fixed bug #13959 - Security fix
Michael Stucki
michael at typo3.org
Fri Apr 9 12:38:18 CEST 2010
FYI: The attached SVN patch was committed.
Type: Bugfix
Problem:
The TYPO3 autoloader does not validate passed arguments.
See security bulletin for details:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-008/
Solution:
Validate the data, additionally unset a special variable which is
actually triggering the issue.
Bugtracker references:
http://bugs.typo3.org/view.php?id=13959
Branches:
- Trunk (rev @7267)
- TYPO3_4-3 (rev @7263)
- TYPO3_4-2 (rev @7268)
- TYPO3_4-1 (rev @7269)
I'm pretty sure that most of you will wonder why this fix has been
committed to TYPO3 4.1 and 4.2 while the security bulletin only mentions
TYPO3 4.3 as affected. Therefore I'm repeating my note from the
ChangeLog to make this more clear:
Fixed bug #13959: Security precaution for extensions which use their own
autoloader. Note: This is the same fix which has been committed to TYPO3
4.3 where it is marked as a security fix. However, versions prior to
TYPO3 4.3 do not ship with an autoloader, so they are not affected by
this problem unless an extension provides its own autoloader.
Greetings, Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_7263_4-3.diff
Type: application/pgp-keys
Size: 4294 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100409/3160fee5/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_7267_trunk.diff
Type: application/pgp-keys
Size: 4256 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100409/3160fee5/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_7268_4-2.diff
Type: application/pgp-keys
Size: 4048 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100409/3160fee5/attachment-0002.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_7269_4-1.diff
Type: application/pgp-keys
Size: 4151 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100409/3160fee5/attachment-0003.key>
More information about the TYPO3-team-core
mailing list