[TYPO3-core] RFC #16891: Bug: shopic.php causes a fatal error if parameters GET variable is not an array

Helmut Hummel helmut.hummel at typo3.org
Sun Jan 2 16:20:35 CET 2011 

Hi,

This is a SVN patch request.

Type: Bugfix

Branches: trunk, 4.4, 4.3

Problem:
After upgrading to TYPO3 version 4.3.9, the URL to the showpic
functionality changed (see #16485). Since search engines still may have
this old URLs in the index, the call to this URL will lead to a fatal
PHP error, since the parameters GET variable is not used there.

Solution:
Check if the parameters are transmitted and an array.

Notes:
For trunk it would be a further improvement to replace the die() calls
with an exception. For this to work properly the error handler must be
initialized. The advantage in doing so is a nicer error message and a
500 http header beeing sent forcing the search engines to (hopefully)
not index this URL

For 4.4 I also removed the unnecessary use of the encryption key, which
was also introduced in #16485 This will of course also change the hash
of the showpic functionality, but using the encryption key there is
misleading, so I would change it nevertheless.

Additional note:
Thanks to Steffen Ritter for reporting.


Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 16891_trunk.diff
Type: text/x-patch
Size: 2759 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110102/a78d2a02/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 16891_4-3.diff
Type: text/x-patch
Size: 1291 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110102/a78d2a02/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 16891_4-4.diff
Type: text/x-patch
Size: 1968 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110102/a78d2a02/attachment-0002.bin>

More information about the TYPO3-team-core mailing list