* Fixed bug #11586: Potential SQL injection in frontend editing (thanks to Oliver...
authorErnesto Baschny <ernst@cron-it.de>
Thu, 22 Oct 2009 07:45:04 +0000 (07:45 +0000)
committerErnesto Baschny <ernst@cron-it.de>
Thu, 22 Oct 2009 07:45:04 +0000 (07:45 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6229 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_frontendedit.php

index 0a18124..ed5b97e 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2009-10-22  Ernesto Baschny <ernst@cron-it.de>
+
+       * Fixed bug #11586: Potential SQL injection in frontend editing (thanks to Oliver Klee)
+
 2009-10-21  Sebastian Kurfuerst  <sebastian@typo3.org>
 
        * Raised Extbase and Fluid version numbers to 0.9.11.
index c78c0a4..51c2929 100644 (file)
  * @subpackage t3lib
  */
 class t3lib_frontendedit {
+       /**
+        * GET/POST parameters for the FE editing
+        *
+        * @var array
+        */
+       protected $TSFE_EDIT;
 
        /**
         * TCEmain object.
@@ -209,6 +215,7 @@ class t3lib_frontendedit {
        public function editAction() {
                        // Commands:
                list($table, $uid) = explode(':', $this->TSFE_EDIT['record']);
+               $uid = intval($uid);
                $cmd = $this->TSFE_EDIT['cmd'];
 
                        // Look for some TSFE_EDIT data that indicates we should save.