[SECURITY] SQLi in AuthenticationService

The environment variable `HTTP_HOST` is used in SQL statements but is not properly escaped, leading to an SQL injection vulnerability. Resolves: #75740 Releases: 7.6, 6.2 Security-Commit: 137f240450524afedb3f341305c65ab798004e98 Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018 Change-Id: I73554a1503a3a408bbbd8ff60b5196a429579b4e Reviewed-on: https://review.typo3.org/49068 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 19, 2016 · 6e35fee · 6e35fee
1 parent 1374e99
commit 6e35fee
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/typo3/sysext/sv/Classes/AuthenticationService.php b/typo3/sysext/sv/Classes/AuthenticationService.php
@@ -152,7 +152,12 @@ public function getGroups($user, $knownGroups)
                 if ($this->writeDevLog) {
                     GeneralUtility::devLog('Get usergroups with id: ' . $list, __CLASS__);
                 }
-                $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo['HTTP_HOST'] . '\')';
+                $lockToDomain_SQL =
+                    ' AND ('
+                        . 'lockToDomain=\'\''
+                        . ' OR lockToDomain IS NULL'
+                        . ' OR lockToDomain=' . $this->getDatabaseConnection()->fullQuoteStr($this->authInfo['HTTP_HOST'], $this->db_groups['table'])
+                    . ')';
                 $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
                 $res = $this->getDatabaseConnection()->exec_SELECTquery('*', $this->db_groups['table'], 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $list . ')' . $lockToDomain_SQL);
                 while ($row = $this->getDatabaseConnection()->sql_fetch_assoc($res)) {
@@ -184,7 +189,12 @@ public function getGroups($user, $knownGroups)
     public function getSubGroups($grList, $idList = '', &$groups)
     {
         // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
-        $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\'' . $this->authInfo['HTTP_HOST'] . '\')';
+        $lockToDomain_SQL =
+            ' AND ('
+                . 'lockToDomain=\'\''
+                . ' OR lockToDomain IS NULL'
+                . ' OR lockToDomain=' . $this->getDatabaseConnection()->fullQuoteStr($this->authInfo['HTTP_HOST'], 'fe_groups')
+            . ')';
         $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
         $res = $this->getDatabaseConnection()->exec_SELECTquery('uid,subgroup', 'fe_groups', 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $grList . ')' . $lockToDomain_SQL);
         // Internal group record storage