[BUGFIX] Prevent broken AND where statement in cObj->searchWhere() 92/61892/5
authorChristian Eßl <indy.essl@gmail.com>
Sat, 5 Oct 2019 10:58:32 +0000 (12:58 +0200)
committerDaniel Goerz <daniel.goerz@posteo.de>
Thu, 10 Oct 2019 14:46:50 +0000 (16:46 +0200)
If searchWhere() in ContentObjectRenderer is called with search words
that are smaller than 3 characters in length, a broken " AND " where
statement will be returned, that, if put inside a database query, would
lead to a fatal error. In such a case, return an empty string to prevent addWhere call.

Resolves: #87620
Releases: master, 9.5
Change-Id: Ib75b2fe8f20fb5b3c956976ff7aae014d0eb784e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61892
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Julian Geils <j_geils@web.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Sascha Rademacher <sascha.rademacher+typo3@gmail.com>
Reviewed-by: Julian Geils <j_geils@web.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Classes/Plugin/AbstractPlugin.php
typo3/sysext/frontend/Tests/Functional/ContentObject/ContentObjectRendererTest.php

index 4705d6e..5241a04 100644 (file)
@@ -6107,7 +6107,7 @@ class ContentObjectRenderer implements LoggerAwareInterface
     public function searchWhere($searchWords, $searchFieldList, $searchTable)
     {
         if (!$searchWords) {
-            return ' AND 1=1';
+            return '';
         }
 
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
@@ -6136,6 +6136,10 @@ class ContentObjectRenderer implements LoggerAwareInterface
             }
         }
 
+        if ((string)$where === '') {
+            return '';
+        }
+
         return ' AND ' . (string)$where;
     }
 
index 183e799..5c87370 100644 (file)
@@ -1099,11 +1099,12 @@ class AbstractPlugin
         }
         // Search word:
         if ($this->piVars['sword'] && $this->internal['searchFieldList']) {
-            $queryBuilder->andWhere(
-                QueryHelper::stripLogicalOperatorPrefix(
-                    $this->cObj->searchWhere($this->piVars['sword'], $this->internal['searchFieldList'], $table)
-                )
+            $searchWhere = QueryHelper::stripLogicalOperatorPrefix(
+                $this->cObj->searchWhere($this->piVars['sword'], $this->internal['searchFieldList'], $table)
             );
+            if (!empty($searchWhere)) {
+                $queryBuilder->andWhere($searchWhere);
+            }
         }
 
         if ($count) {
index 542c452..e6f73a2 100644 (file)
@@ -564,6 +564,20 @@ class ContentObjectRendererTest extends FunctionalTestCase
     }
 
     /**
+     * @test
+     */
+    public function searchWhereWithTooShortSearchWordWillReturnValidWhereStatement()
+    {
+        $tsfe = $this->getMockBuilder(TypoScriptFrontendController::class)->disableOriginalConstructor()->getMock();
+        $subject = new ContentObjectRenderer($tsfe);
+        $subject->start([], 'tt_content');
+
+        $expected = '';
+        $actual = $subject->searchWhere('ab', 'header,bodytext', 'tt_content');
+        $this->assertEquals($expected, $actual);
+    }
+
+    /**
      * @return array
      */
     protected function getLibParseFunc()