[SECURITY] SQLi in DBAL 96/46696/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Tue, 16 Feb 2016 10:43:49 +0000 (11:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 16 Feb 2016 10:44:11 +0000 (11:44 +0100)
commit3256617aedc7d46fae50c8bf482c4516b4015fcb
tree9d019d0f4642b1d1155025ea7088998b3dc3b944
parentc88aa574c95147d30678c4b2c381ac312ca3765c
[SECURITY] SQLi in DBAL

When dbal is in native mode but sql_query.passthrough is disabled
in extension configuration, the values of queries are unescaped
and passed that way to MySQL, leading to an SQLi vulnerability.

Resolves: #58896
Releases: 6.2, 4.5
Security-Commit: 3594142daa7e7157aeb21c0ca5db95b5367236d8
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Id76c0fb523a1835b0a9d2a1afa4ba1ebdda73303
Reviewed-on: https://review.typo3.org/46696
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/dbal/Classes/Database/SqlParser.php