[TASK] Secure EXT: beuser database interactions
authorFelix Kopp <felix-source@phorax.com>
Sun, 28 Oct 2012 11:19:26 +0000 (12:19 +0100)
committerHelmut Hummel <helmut.hummel@typo3.org>
Tue, 27 Nov 2012 00:13:30 +0000 (01:13 +0100)
Wraps database query input in corresponding functions to clean input.
Also fixes a bug in ViewHelpers to limit output to parameter uid list.

Change-Id: Ie23babb20ab610193ad06cc4305c31f9e042fb9b
Resolves: #42221
Releases: 6.0
Reviewed-on: http://review.typo3.org/15985
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
19 files changed:
typo3/sysext/beuser/Classes/Controller/BackendUserController.php
typo3/sysext/beuser/Classes/Domain/Model/BackendUser.php
typo3/sysext/beuser/Classes/Domain/Model/BackendUserGroup.php
typo3/sysext/beuser/Classes/Domain/Model/Demand.php
typo3/sysext/beuser/Classes/Domain/Model/ModuleData.php
typo3/sysext/beuser/Classes/Domain/Repository/BackendUserGroupRepository.php
typo3/sysext/beuser/Classes/Domain/Repository/BackendUserRepository.php
typo3/sysext/beuser/Classes/Domain/Repository/BackendUserSessionRepository.php
typo3/sysext/beuser/Classes/Hook/SwitchBackUserHook.php
typo3/sysext/beuser/Classes/Service/ModuleDataStorageService.php
typo3/sysext/beuser/Classes/ViewHelpers/Display/PagesViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/Display/SysFileMountsViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/Display/SysLanguageViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/Form/SelectDefaultValueViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/IssueCommandViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/SectionViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/SpriteIconForRecordViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/SpriteManagerIconViewHelper.php
typo3/sysext/beuser/Classes/ViewHelpers/SwitchUserViewHelper.php

index a4e0492..9bb8f9f 100755 (executable)
@@ -113,7 +113,10 @@ class BackendUserController extends \TYPO3\CMS\Extbase\Mvc\Controller\ActionCont
                }
                // Switch user permanently or only until logout
                if (\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('SwitchUser')) {
-                       $this->switchUser(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('SwitchUser'), \TYPO3\CMS\Core\Utility\GeneralUtility::_GP('switchBackUser'));
+                       $this->switchUser(
+                               \TYPO3\CMS\Core\Utility\GeneralUtility::_GP('SwitchUser'),
+                               \TYPO3\CMS\Core\Utility\GeneralUtility::_GP('switchBackUser')
+                       );
                }
                $compareUserList = $this->moduleData->getCompareUserList();
                $this->view->assign('demand', $demand);
@@ -221,5 +224,4 @@ class BackendUserController extends \TYPO3\CMS\Extbase\Mvc\Controller\ActionCont
 
 }
 
-
 ?>
\ No newline at end of file
index f36e653..61acaa4 100755 (executable)
@@ -129,5 +129,4 @@ class BackendUser extends \TYPO3\CMS\Extbase\Domain\Model\BackendUser {
 
 }
 
-
 ?>
\ No newline at end of file
index cfb58ad..72004f5 100755 (executable)
@@ -73,5 +73,4 @@ class BackendUserGroup extends \TYPO3\CMS\Extbase\DomainObject\AbstractEntity {
 
 }
 
-
 ?>
\ No newline at end of file
index 611d19f..870baf4 100755 (executable)
@@ -161,5 +161,4 @@ class Demand extends \TYPO3\CMS\Extbase\DomainObject\AbstractEntity {
 
 }
 
-
 ?>
\ No newline at end of file
index 0fd3c63..3a1af19 100755 (executable)
@@ -32,8 +32,6 @@ namespace TYPO3\CMS\Beuser\Domain\Repository;
  */
 class BackendUserGroupRepository extends \TYPO3\CMS\Extbase\Persistence\Repository {
 
-
 }
 
-
 ?>
\ No newline at end of file
index 4889d90..507d57e 100755 (executable)
@@ -40,7 +40,7 @@ class BackendUserRepository extends \TYPO3\CMS\Extbase\Domain\Repository\Backend
         */
        public function findByUidList($uidList) {
                $query = $this->createQuery();
-               return $query->matching($query->in('uid', $uidList))->execute();
+               return $query->matching($query->in('uid', $GLOBALS['TYPO3_DB']::cleanIntArray($uidList)))->execute();
        }
 
        /**
@@ -57,7 +57,10 @@ class BackendUserRepository extends \TYPO3\CMS\Extbase\Domain\Repository\Backend
                $query->setOrderings(array('userName' => \TYPO3\CMS\Extbase\Persistence\QueryInterface::ORDER_ASCENDING));
                // Username
                if ($demand->getUserName() !== '') {
-                       $constraints[] = $query->like('userName', '%' . $demand->getUserName() . '%');
+                       $constraints[] = $query->like(
+                               'userName',
+                               '%' . $GLOBALS['TYPO3_DB']->escapeStrForLike($demand->getUserName(), 'be_users') . '%'
+                       );
                }
                // Only display admin users
                if ($demand->getUserType() == \TYPO3\CMS\Beuser\Domain\Model\Demand::USERTYPE_ADMINONLY) {
@@ -86,7 +89,12 @@ class BackendUserRepository extends \TYPO3\CMS\Extbase\Domain\Repository\Backend
                // In backend user group
                // @TODO: Refactor for real n:m relations
                if ($demand->getBackendUserGroup()) {
-                       $constraints[] = $query->logicalOr($query->equals('usergroup', $demand->getBackendUserGroup()->getUid()), $query->like('usergroup', $demand->getBackendUserGroup()->getUid() . ',%'), $query->like('usergroup', '%,' . $demand->getBackendUserGroup()->getUid()), $query->like('usergroup', '%,' . $demand->getBackendUserGroup()->getUid() . ',%'));
+                       $constraints[] = $query->logicalOr(
+                               $query->equals('usergroup', intval($demand->getBackendUserGroup()->getUid())),
+                               $query->like('usergroup', intval($demand->getBackendUserGroup()->getUid()) . ',%'),
+                               $query->like('usergroup', '%,' . intval($demand->getBackendUserGroup()->getUid())),
+                               $query->like('usergroup', '%,' . intval($demand->getBackendUserGroup()->getUid()) . ',%')
+                       );
                        $query->contains('usergroup', $demand->getBackendUserGroup());
                }
                $query->matching($query->logicalAnd($constraints));
@@ -123,5 +131,4 @@ class BackendUserRepository extends \TYPO3\CMS\Extbase\Domain\Repository\Backend
 
 }
 
-
 ?>
\ No newline at end of file
index e846ed4..64d77e5 100755 (executable)
@@ -41,7 +41,13 @@ class BackendUserSessionRepository extends \TYPO3\CMS\Extbase\Persistence\Reposi
         */
        public function findByBackendUser(\TYPO3\CMS\Beuser\Domain\Model\BackendUser $backendUser) {
                $sessions = array();
-               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('ses_id AS id, ses_iplock AS ip, ses_tstamp AS timestamp', 'be_sessions', 'ses_userid = "' . $backendUser->getUid() . '"', '', 'ses_tstamp ASC');
+               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                       'ses_id AS id, ses_iplock AS ip, ses_tstamp AS timestamp',
+                       'be_sessions',
+                       'ses_userid = "' . intval($backendUser->getUid()) . '"',
+                       '',
+                       'ses_tstamp ASC'
+               );
                while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                        $sessions[] = array(
                                'id' => $row['id'],
@@ -54,5 +60,4 @@ class BackendUserSessionRepository extends \TYPO3\CMS\Extbase\Persistence\Reposi
 
 }
 
-
 ?>
\ No newline at end of file
index 74a5c26..8d10329 100644 (file)
@@ -38,6 +38,7 @@ class ModuleDataStorageService implements \TYPO3\CMS\Core\SingletonInterface {
         * @var string
         */
        const KEY = 'tx_beuser';
+
        /**
         * @var \TYPO3\CMS\Extbase\Object\ObjectManagerInterface
         * @inject
@@ -71,5 +72,4 @@ class ModuleDataStorageService implements \TYPO3\CMS\Core\SingletonInterface {
 
 }
 
-
 ?>
\ No newline at end of file
index 0021110..d4bae93 100755 (executable)
@@ -40,8 +40,14 @@ class PagesViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelpe
                if (!$uids) {
                        return '';
                }
+
                $content = '';
-               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, title', 'pages', 'uid IN (' . $uids . ')', 'uid ASC');
+               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                       'uid, title',
+                       'pages',
+                       'uid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($uids) . ')',
+                       'uid ASC'
+               );
                while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                        $content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
                }
@@ -50,5 +56,4 @@ class PagesViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelpe
 
 }
 
-
 ?>
\ No newline at end of file
index 34fc497..f5c31cd 100755 (executable)
@@ -40,8 +40,14 @@ class SysFileMountsViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractV
                if (!$uids) {
                        return '';
                }
+
                $content = '';
-               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, title', 'sys_filemounts', '', 'title ASC');
+               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                       'uid, title',
+                       'sys_filemounts',
+                       'uid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($uids) . ')',
+                       'title ASC'
+               );
                while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                        $content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
                }
@@ -50,5 +56,4 @@ class SysFileMountsViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractV
 
 }
 
-
 ?>
\ No newline at end of file
index 629f242..2c9df68 100755 (executable)
@@ -40,8 +40,14 @@ class SysLanguageViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractVie
                if (!$uids) {
                        return '';
                }
+
                $content = '';
-               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, title, flag', 'sys_language', '', 'title ASC');
+               $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                       'uid, title, flag',
+                       'sys_language',
+                       'uid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($uids) . ')',
+                       'title ASC'
+               );
                while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                        $content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
                }
@@ -50,5 +56,4 @@ class SysLanguageViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractVie
 
 }
 
-
 ?>
\ No newline at end of file
index 8dd8ac4..a25bd2c 100755 (executable)
@@ -48,5 +48,4 @@ class IssueCommandViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractVi
 
 }
 
-
 ?>
\ No newline at end of file
index ca05013..4dc0a9f 100755 (executable)
@@ -50,5 +50,4 @@ class SectionViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHel
 
 }
 
-
 ?>
\ No newline at end of file
index 6ff9d48..ac73d8d 100755 (executable)
@@ -47,5 +47,4 @@ class SwitchUserViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractView
 
 }
 
-
 ?>
\ No newline at end of file