* Fixed bug #1985: XSS vulnerability in wizard classes
* Fixed bug #15223: Password request hash in felogin is created with not enough randomness (thanks to Helmut Hummel)
* Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
+ * Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
2010-07-27 Steffen Kamper <steffen@typo3.org>
foreach ($fTWHERE_parts as $kk => $vv) {
if ($kk) {
$fTWHERE_subpart = explode('###', $vv, 2);
- $fTWHERE_parts[$kk] = $TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]].$fTWHERE_subpart[1];
+ if (substr($fTWHERE_parts[0], -1) === '\'' && $fTWHERE_subpart[1]{0} === '\'') {
+ $fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->quoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]], $foreign_table) . $fTWHERE_subpart[1];
+ } else {
+ $fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->fullQuoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]], $foreign_table) . $fTWHERE_subpart[1];
+ }
}
}
$fTWHERE = implode('', $fTWHERE_parts);