[BUGFIX][SECURITY] SQL Injection in Scheduler Task of Linkvalidator
authorOliver Hader <oliver@typo3.org>
Mon, 10 Oct 2011 22:47:21 +0000 (00:47 +0200)
committerOliver Hader <oliver@typo3.org>
Mon, 10 Oct 2011 22:47:21 +0000 (00:47 +0200)
The field "start page (uid)" in the addition fields for the Scheduler
task is not sanitized on executing a SQL query to look up the page.

Change-Id: I99f7ac32ed16ef3d2be9673ee2d0af72ed0c5b0c
Resolves: #30753
Releases: 4.5,4.6

typo3/sysext/linkvalidator/classes/tasks/class.tx_linkvalidator_tasks_validatoradditionalfieldprovider.php

index 776a6ab..ef4d51a 100644 (file)
@@ -223,7 +223,7 @@ class tx_linkvalidator_tasks_ValidatorAdditionalFieldProvider implements tx_sche
                        }
                }
 
-               if ($res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'pages', 'uid = ' . $submittedData['linkvalidator']['page'])) {
+               if ($res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'pages', 'uid = ' . intval($submittedData['linkvalidator']['page']))) {
                        if ($GLOBALS['TYPO3_DB']->sql_num_rows($res) == 0 && $submittedData['linkvalidator']['page'] > 0) {
                                $isValid = FALSE;
                                $schedulerModule->addMessage(