From d4f20bb7e6bfcc3618fdaf2097d36accbfb34002 Mon Sep 17 00:00:00 2001
From: Daniel Siepmann <coding@daniel-siepmann.de>
Date: Wed, 10 Jul 2024 07:50:49 +0200
Subject: [PATCH] [BUGFIX] Prevent TypeError int values of backend user
settings
PHP will cast array keys to int if they are valid integers.
The code applies htmlspecialchars() on the keys.
The function expects a string as first argument, which wouldn't be the
case if the actual value would be an int.
Therefore the key is casted to a string within the function call to
prevent TypeError.
Resolves: #104341
Releases: main, 12.4
Change-Id: Ic9aef0fd37f2e883a2a8fa626cfda2e813e3b289
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85194
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
---
typo3/sysext/setup/Classes/Controller/SetupModuleController.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
index cbb2843fa4fa..ecf6eb33b61e 100644
--- a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
+++ b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -486,7 +486,7 @@ class SetupModuleController
name="data' . $dataAdd . '[' . htmlspecialchars($fieldName) . ']"' .
$more . '>' . LF;
foreach ($config['items'] as $key => $optionLabel) {
- $html .= '<option value="' . htmlspecialchars($key) . '"' . ($value == $key ? ' selected="selected"' : '') . '>' . $this->getLabel($optionLabel, '', false) . '</option>' . LF;
+ $html .= '<option value="' . htmlspecialchars((string)$key) . '"' . ($value == $key ? ' selected="selected"' : '') . '>' . $this->getLabel($optionLabel, '', false) . '</option>' . LF;
}
$html .= '</select>';
}
--
GitLab