[BUGFIX] Prevent null value being passed to hash_equals 13/58713/2
authorBenni Mack <benni@typo3.org>
Fri, 26 Oct 2018 13:41:09 +0000 (15:41 +0200)
committerBenni Mack <benni@typo3.org>
Sat, 27 Oct 2018 09:43:55 +0000 (11:43 +0200)
The second parameter of hash_equals must be a string but could be a
null value in the FileDumpController. It is ensured now that the
value is always a string.

Resolves: #86599
Releases: master, 8.7
Change-Id: Iaf682b405be6712aa31603521a2d873b4c3bcb89
Reviewed-on: https://review.typo3.org/58713
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/core/Classes/Controller/FileDumpController.php

index 538c3a2..101dfd2 100644 (file)
@@ -96,12 +96,13 @@ class FileDumpController
     /**
      * @param ServerRequestInterface $request
      * @param string $parameter
-     * @return mixed|null
+     * @return string
      */
     protected function getGetOrPost(ServerRequestInterface $request, $parameter)
     {
-        return isset($request->getParsedBody()[$parameter])
+        $value = isset($request->getParsedBody()[$parameter])
             ? $request->getParsedBody()[$parameter]
-            : (isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : null);
+            : (isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : '');
+        return (string)$value;
     }
 }