[SECURITY] SQLi in DBAL 96/46696/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Tue, 16 Feb 2016 10:43:49 +0000 (11:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 16 Feb 2016 10:44:11 +0000 (11:44 +0100)
When dbal is in native mode but sql_query.passthrough is disabled
in extension configuration, the values of queries are unescaped
and passed that way to MySQL, leading to an SQLi vulnerability.

Resolves: #58896
Releases: 6.2, 4.5
Security-Commit: 3594142daa7e7157aeb21c0ca5db95b5367236d8
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Id76c0fb523a1835b0a9d2a1afa4ba1ebdda73303
Reviewed-on: https://review.typo3.org/46696
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/dbal/Classes/Database/SqlParser.php

index 5644a3a..aecce93 100644 (file)
@@ -212,6 +212,13 @@ class SqlParser extends \TYPO3\CMS\Core\Database\SqlParser {
         * @return      string          Output string
         */
        protected function compileAddslashes($str) {
+               // DatabaseConnection::quoteWhereClause() returns an unmodified where clause in native mode,
+               // escaping of special characters needs to be done here.
+               if ((string)$this->databaseConnection->handlerCfg[$this->databaseConnection->lastHandlerKey]['type'] === 'native') {
+                       return parent::compileAddslashes($str);
+               }
+
+               // Return unmodified value, DBMS specific escaping is handled in DatabaseConnection::quoteWhereClause()
                return $str;
        }