Merge pull request #453 from kartolo/hotfix/2023110110000013

[Security] prevent user to input multiline value
kartolo · Dec 12, 2023 · 6fb797f · 6fb797f
2 parents 3a9cef7 + 634a54c
commit 6fb797f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/Classes/Utility/TsUtility.php b/Classes/Utility/TsUtility.php
@@ -62,7 +62,13 @@ public function updatePagesTSconfig(int $id, array $pageTs, string $tsConfPrefix
             }
             $set = [];
             foreach ($pageTs as $f => $v) {
-                $v = trim($v);
+                // only get the first line of input and ignore the rest
+                $v = strtok(trim($v), "\r\n");
+                // if token is not found (false)
+                if ($v === false) {
+                    // then set empty string
+                    $v = '';
+                }
                 $f = $tsConfPrefix . $f;
                 $tempF = isset($impParams[$f]) ? trim($impParams[$f]) : '';
                 if (strcmp($tempF, $v)) {

diff --git a/ext_emconf.php b/ext_emconf.php
@@ -9,7 +9,7 @@
     'author_company' => 'd.k.d Internet Service GmbH',
     'state' => 'stable',
     'clearcacheonload' => 0,
-    'version' => '9.5.1',
+    'version' => '9.5.2',
     'constraints' => [
         'depends' => [
             'typo3' => '11.5.0-11.99.99',