Pascal Bartl
Quiz by , created more than 1 year ago

TYPO3 CD 2020 (zweite Auflage) Quiz on 7.3 Discovering Security Issues, created by Pascal Bartl on 09/04/2021.

0
0
0
Pascal Bartl
Created by Pascal Bartl over 3 years ago
Close

7.3 Discovering Security Issues

Question 1 of 2

1

What is wrong with the following code? (1)

public function showAction() {
$arguments = $this->request->getArguments();
$template = $arguments['template'];
if ($template) {
include $template . '.php';
} else {
include 'default_template.php';
}
...
}

Select one or more of the following:

  • The method call should read getArgument('template')

  • The hasArgument() function should be used to check whether the argument exists

  • The require function should be used, rather than include

  • A “path traversal” can be injected via the GET/POST argument

  • Extbase should check whether the file exists before including it

Explanation

Question 2 of 2

1

Which statement about the following code in an Extbase repository is correct? (1)

public function selectByPid($pid) {
$query = $this->createQuery();
$select = "SELECT uid FROM table WHERE pid = " . $pid;
return $query->statement($select)->execute(true);
}

Select one or more of the following:

  • The method execute() does not accept a parameter

  • The parameter of method statement() can not be a native SQL query

  • The code shows a possible SQL injection vulnerability

  • The code is perfectly fine

  • Method names in repository classes must not start with selectBy

Explanation