[TYPO3-core] RFC #16796: Frame added to IM/GM commands should be inside quotes

Helmut Hummel helmut.hummel at typo3.org
Tue Dec 28 16:56:53 CET 2010


Hi,

Am 28.12.2010 16:10, schrieb Jigal van Hemert:
>
> On 28-12-2010 15:37, Helmut Hummel wrote:
>>
>> Does the current behaviour cause a wrong result?
>
> Yes. The combination of incorrect unQuoteFileName() (#16795) and
> incorrect position of frames resulted in problems on Windows.

OK. Thanks for backing me up on this.

> At first we tried to solve all problems in #13750, but due to testing
> problems (we would actually need reviews on all combinations) in a
> discussion with the 4.5 RM it was decided to split that issue in three
> parts.

I know, and this is good.

> Well, moving the frame parameter out of the wrapping was a wrong
> solution in the first place.

May be.

> And guess what, #16797 implements the suggestion of Marcus Krause in the
> discussion of #12341 to drop escapeshellarg() when safe_mode is on,
> because safe_mode already executes escapeshellcmd() to prevent injections.

Well, he changed his mind and I still think that dropping 
escapeshellarg() because escapeshellcmd() is done is wrong (see my post 
in the #16797 thread).

> With all three patches in, the situation on *nix, Windows and problems
> with safe_mode should all be fixed.

OK, totally fine with me, if moving the frame parameter inside the 
quotes solves the issue. Then please also do so in t3lib/thumbs.php.

Regards, Helmut


More information about the TYPO3-team-core mailing list