[SECURITY] Extbase must not cache dynamic parts of queries 32/29932/7
authorMarkus Klein <klein.t3@mfc-linz.at>
Thu, 8 May 2014 01:31:21 +0000 (03:31 +0200)
committerGeorg Ringer <georg.ringer@gmail.com>
Mon, 12 May 2014 13:45:03 +0000 (15:45 +0200)
Do not cache the enable fields part of queries. This part
needs to be added on each query dynamically to reflect the
current context. (Time restrictions, User restrictions)

Resolves: #58369
Releases: 6.2
Change-Id: I492d5983ff6a06d72cd18cf9a08a0d62d304ac2b
Reviewed-on: https://review.typo3.org/29932
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Jan Kiesewetter
Tested-by: Jan Kiesewetter
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
typo3/sysext/extbase/Classes/Persistence/Generic/Storage/Typo3DbBackend.php
typo3/sysext/extbase/Classes/Persistence/Generic/Storage/Typo3DbQueryParser.php

index 1df4854..559d47e 100644 (file)
@@ -503,6 +503,8 @@ class Typo3DbBackend implements BackendInterface, \TYPO3\CMS\Core\SingletonInter
                        throw new \RuntimeException('Your query could not be built.', 1394453197);
                }
 
+               $this->queryParser->addDynamicQueryParts($query->getQuerySettings(), $statementParts);
+
                // Limit and offset are not cached to allow caching of pagebrowser queries.
                $statementParts['limit'] = ((int)$query->getLimit() ?: NULL);
                $statementParts['offset'] = ((int)$query->getOffset() ?: NULL);
index eed164d..e794684 100644 (file)
@@ -225,6 +225,27 @@ class Typo3DbQueryParser implements \TYPO3\CMS\Core\SingletonInterface {
        }
 
        /**
+        * Add query parts that MUST NOT be cached.
+        * Call this function for any query
+        *
+        * @param QuerySettingsInterface $querySettings
+        * @param array $sql
+        * @throws \InvalidArgumentException
+        * @return void
+        */
+       public function addDynamicQueryParts(QuerySettingsInterface $querySettings, array &$sql) {
+               if (!isset($sql['additionalWhereClause'])) {
+                       throw new \InvalidArgumentException('Invalid statement given.', 1399512421);
+               }
+               $tableNames = array_unique(array_keys($sql['tables'] + $sql['unions']));
+               foreach ($tableNames as $tableName) {
+                       if (is_string($tableName) && !empty($tableName)) {
+                               $this->addVisibilityConstraintStatement($querySettings, $tableName, $sql);
+                       }
+               }
+       }
+
+       /**
         * Transforms a Query Source into SQL and parameter arrays
         *
         * @param Qom\SourceInterface $source The source
@@ -493,7 +514,6 @@ class Typo3DbQueryParser implements \TYPO3\CMS\Core\SingletonInterface {
         * @return void
         */
        protected function addAdditionalWhereClause(QuerySettingsInterface $querySettings, $tableName, &$sql) {
-               $this->addVisibilityConstraintStatement($querySettings, $tableName, $sql);
                if ($querySettings->getRespectSysLanguage()) {
                        $this->addSysLanguageStatement($tableName, $sql, $querySettings);
                }