[TASK] Properly encode database input in the right place 14/42614/4
authorHelmut Hummel <helmut.hummel@typo3.org>
Fri, 14 Aug 2015 13:45:15 +0000 (15:45 +0200)
committerNicole Cordes <typo3@cordes.co>
Sun, 16 Aug 2015 12:11:18 +0000 (14:11 +0200)
This adds code that prevents potential SQL injections.
The core is not exploitable, as cleaning is done in other code parts.

Resolves: #69061
Releases: master, 6.2
Change-Id: Iba42adc6dd4abd3976b57f1dc84ba6585ea7bbd4
Reviewed-on: http://review.typo3.org/42614
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/workspaces/Classes/Service/StagesService.php

index 5450d6a..9579733 100644 (file)
@@ -1256,13 +1256,10 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
                        }
                        // BE_GROUPS:
                        // Get the groups...
-                       // 240203: Since the group-field never contains any references to groups with a prepended table name
-                       // we think it's safe to just intExplode and re-implode - which should be much faster than the other function call.
-                       $grList = $this->db->cleanIntList($this->user[$this->usergroup_column]);
-                       if ($grList) {
+                       if (!empty($this->user[$this->usergroup_column])) {
                                // Fetch groups will add a lot of information to the internal arrays: modules, accesslists, TSconfig etc.
                                // Refer to fetchGroups() function.
-                               $this->fetchGroups($grList);
+                               $this->fetchGroups($this->user[$this->usergroup_column]);
                        }
 
                        // Populating the $this->userGroupsUID -array with the groups in the order in which they were LAST included.!!
@@ -1352,7 +1349,8 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
         */
        public function fetchGroups($grList, $idList = '') {
                // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
-               $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . GeneralUtility::getIndpEnv('HTTP_HOST') . '\')';
+               $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=' . $this->db->fullQuoteStr(GeneralUtility::getIndpEnv('HTTP_HOST'), $this->usergroup_table) . ')';
+               $grList = $this->db->cleanIntList($grList);
                $whereSQL = 'deleted=0 AND hidden=0 AND pid=0 AND uid IN (' . $grList . ')' . $lockToDomain_SQL;
                // Hook for manipulation of the WHERE sql sentence which controls which BE-groups are included
                if (is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['fetchGroupQuery'])) {
@@ -1370,9 +1368,7 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
                }
                $this->db->sql_free_result($res);
                // Traversing records in the correct order
-               $include_staticArr = GeneralUtility::intExplode(',', $grList);
-               // Traversing list
-               foreach ($include_staticArr as $uid) {
+               foreach (explode(',', $grList) as $uid) {
                        // Get row:
                        $row = $this->userGroups[$uid];
                        // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
index df1c54b..d064c19 100644 (file)
@@ -523,7 +523,7 @@ class StagesService {
         * @return void
         */
        private function fetchGroupsFromDB(array $groups) {
-               $whereSQL = 'deleted=0 AND hidden=0 AND pid=0 AND uid IN (' . implode(',', $groups) . ') ';
+               $whereSQL = 'deleted=0 AND hidden=0 AND pid=0 AND uid IN (' . implode(',', $GLOBALS['TYPO3_DB']->cleanIntArray($groups)) . ') ';
                $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'be_groups', $whereSQL);
                // The userGroups array is filled
                while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {