[BUGFIX] Prevent null value being passed to hash_equals 96/58596/5
authorSascha Egerer <sascha@sascha-egerer.de>
Mon, 8 Oct 2018 23:13:49 +0000 (01:13 +0200)
committerBenni Mack <benni@typo3.org>
Fri, 26 Oct 2018 13:37:25 +0000 (15:37 +0200)
The second parameter of hash_equals must be a string but could be a
null value in the FileDumpController. It is ensured now that the
value is always a string.

Resolves: #86599
Releases: master, 8.7
Change-Id: Iaf682b405be6712aa31603521a2d873b4c3bcb89
Reviewed-on: https://review.typo3.org/58596
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/core/Classes/Controller/FileDumpController.php

index 0868ea4..9a470a1 100644 (file)
@@ -1,4 +1,6 @@
 <?php
+declare(strict_types = 1);
+
 namespace TYPO3\CMS\Core\Controller;
 
 /*
@@ -95,10 +97,10 @@ class FileDumpController
     /**
      * @param ServerRequestInterface $request
      * @param string $parameter
-     * @return mixed|null
+     * @return string
      */
-    protected function getGetOrPost(ServerRequestInterface $request, $parameter)
+    protected function getGetOrPost(ServerRequestInterface $request, string $parameter): string
     {
-        return $request->getParsedBody()[$parameter] ?? $request->getQueryParams()[$parameter] ?? null;
+        return (string)($request->getParsedBody()[$parameter] ?? $request->getQueryParams()[$parameter] ?? '');
     }
 }