Bug #10718
Content security: query rewriting fails if no other constraints are set on the query
Status: | Resolved | Start date: | 2010-11-10 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | Karsten Dambekalns | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 13 | |||
PHP Version: | Complexity: | |||
Has patch: | Affected Flow version: |
Description
The query rewriting aspect fails if the policy constraint is the only constraint on the query.
In PersistenceQueryRewritingAspect::rewriteQomQuery()
the policy constraint is added to the query by:
if ($additionalCalculatedConstraints !== NULL) { $newConstraints = $query->logicalAnd($query->getConstraint(), $query->logicalNot($additionalCalculatedConstraints)); $query->matching($newConstraints); }
However, if $query->getConstraint()
returns NULL the call of logicalAnd() fails.
This is my quick fix:
if ($query->getConstraint() !== NULL) { $newConstraints = $query->logicalAnd($query->getConstraint(), $query->logicalNot($additionalCalculatedConstraints)); } else { $newConstraints = $query->logicalNot($additionalCalculatedConstraints); }
Associated revisions
[+BUGFIX] FLOW3 (Security): Fix query rewriting sans constraint
Adding the security constraint(s) failed if the original query did not
have any constraint itself.
Change-Id: Icaa9534b1db4cb79dbf1114cdf7815b89e3bd5c1
Fixes: #10718
History
#1 Updated by Karsten Dambekalns over 4 years ago
- Category set to Security
- Assigned To set to Andreas Förthner
Andi, any comments?
#2 Updated by Karsten Dambekalns over 4 years ago
- Status changed from New to Accepted
- Assigned To changed from Andreas Förthner to Karsten Dambekalns
#3 Updated by Andreas Förthner over 4 years ago
yep, this is correct. Fix looks good to me. @Karsten: Do we get this into alpha13, or is it already too late?
#4 Updated by Karsten Dambekalns over 4 years ago
- Status changed from Accepted to Under Review
#5 Updated by Karsten Dambekalns over 4 years ago
- Target version set to 1.0 alpha 13
#6 Updated by Karsten Dambekalns over 4 years ago
Hi Florian,
it would be really cool if you could test the fix in http://review.typo3.org/330
Thanks, Karsten
#7 Updated by Karsten Dambekalns over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset bc30a9d4360efa035e6656e05bd2e3c3c87efb47.