Bug #22410 » 14050_cleaning_t3lib_formprotection_directory1.patch
t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php (revision ) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formprotection_BackendFormProtection.
|
||
... | ... | |
*
|
||
* <pre>
|
||
* $formToken = t3lib_formprotection_Factory::get(
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* )->generateToken(
|
||
* 'BE user setup', 'edit'
|
||
* 'BE user setup', 'edit'
|
||
* );
|
||
* $this->content .= '<input type="hidden" name="formToken" value="' .
|
||
* $formToken . '" />';
|
||
* $formToken . '" />';
|
||
* </pre>
|
||
*
|
||
* The three parameters $formName, $action and $formInstanceName can be
|
||
... | ... | |
*
|
||
* <pre>
|
||
* $formToken = t3lib_formprotection_Factory::get(
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* )->getFormProtection()->generateToken(
|
||
* 'tt_content', 'edit', $uid
|
||
* 'tt_content', 'edit', $uid
|
||
* );
|
||
* </pre>
|
||
*
|
||
... | ... | |
*
|
||
* <pre>
|
||
* t3lib_formprotection_Factory::get(
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* )->persistTokens();
|
||
* </pre>
|
||
*
|
||
... | ... | |
*
|
||
* <pre>
|
||
* if ($dataHasBeenSubmitted && t3lib_formprotection_Factory::get(
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* t3lib_formprotection_Factory::TYPE_BACK_END
|
||
* )->validateToken(
|
||
* )->validateToken(
|
||
* (string) t3lib_div::_POST('formToken'),
|
||
* (string) t3lib_div::_POST('formToken'),
|
||
* 'BE user setup', 'edit
|
||
* 'BE user setup', 'edit
|
||
* )
|
||
* )
|
||
* ) {
|
||
* // processes the data
|
||
* // processes the data
|
||
* } else {
|
||
* // no need to do anything here as the BE form protection will create a
|
||
* // no need to do anything here as the BE form protection will create a
|
||
* // flash message for an invalid token
|
||
* // flash message for an invalid token
|
||
* }
|
||
* </pre>
|
||
*
|
||
... | ... | |
if (!isset($GLOBALS['BE_USER'])) {
|
||
throw new t3lib_error_Exception(
|
||
'A back-end form protection may only be instantiated if there' .
|
||
' is an active back-end session.',
|
||
' is an active back-end session.',
|
||
1285067843
|
||
);
|
||
}
|
||
... | ... | |
* @return void
|
||
*/
|
||
protected function createValidationErrorMessage() {
|
||
$message = t3lib_div::makeInstance(
|
||
$message = t3lib_div::makeInstance(
|
||
't3lib_FlashMessage',
|
||
$GLOBALS['LANG']->sL(
|
||
'LLL:EXT:lang/locallang_core.xml:error.formProtection.tokenInvalid'
|
||
... | ... | |
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<array>
|
||
* the saved tokens as, will be empty if no tokens have been saved
|
||
* the saved tokens as, will be empty if no tokens have been saved
|
||
*/
|
||
protected function retrieveTokens() {
|
||
$tokens = $GLOBALS['BE_USER']->getSessionData('formTokens');
|
t3lib/formprotection/class.t3lib_formprotection_abstract.php (revision ) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formprotection_Abstract.
|
||
... | ... | |
* Note: This function does not persist the tokens.
|
||
*
|
||
* @param string $formName
|
||
* the name of the form, for example a table name like "tt_content",
|
||
* the name of the form, for example a table name like "tt_content",
|
||
* or some other identifier like "install_tool_password", must not be
|
||
* or some other identifier like "install_tool_password", must not be
|
||
* empty
|
||
* empty
|
||
* @param string $action
|
||
* the name of the action of the form, for example "new", "delete" or
|
||
* the name of the action of the form, for example "new", "delete" or
|
||
* "edit", may also be empty
|
||
* "edit", may also be empty
|
||
* @param string $formInstanceName
|
||
* a string used to differentiate two instances of the same form,
|
||
* a string used to differentiate two instances of the same form,
|
||
* form example a record UID or a comma-separated list of UIDs,
|
||
* form example a record UID or a comma-separated list of UIDs,
|
||
* may also be empty
|
||
* may also be empty
|
||
*
|
||
* @return string the 32-character hex ID of the generated token
|
||
*/
|
||
... | ... | |
* FALSE the second time.
|
||
*
|
||
* @param string $tokenId
|
||
* a form token to check, may also be empty or utterly misformed
|
||
* a form token to check, may also be empty or utterly misformed
|
||
* @param string $formName
|
||
* the name of the form to check, for example "tt_content",
|
||
* the name of the form to check, for example "tt_content",
|
||
* may also be empty or utterly misformed
|
||
* may also be empty or utterly misformed
|
||
* @param string $action
|
||
* the action of the form to check, for example "edit",
|
||
* the action of the form to check, for example "edit",
|
||
* may also be empty or utterly misformed
|
||
* may also be empty or utterly misformed
|
||
* @param string $formInstanceName
|
||
* the instance name of the form to check, for example "42" or "foo"
|
||
* the instance name of the form to check, for example "42" or "foo"
|
||
* or "31,42", may also be empty or utterly misformed
|
||
* or "31,42", may also be empty or utterly misformed
|
||
*
|
||
* @return boolean
|
||
* TRUE if $tokenId, $formName, $action and $formInstanceName match
|
||
* TRUE if $tokenId, $formName, $action and $formInstanceName match
|
||
* and the token has not been used yet, FALSE otherwise
|
||
* and the token has not been used yet, FALSE otherwise
|
||
*/
|
||
public function validateToken(
|
||
$tokenId, $formName, $action = '', $formInstanceName = ''
|
||
... | ... | |
if (isset($this->tokens[$tokenId])) {
|
||
$token = $this->tokens[$tokenId];
|
||
$isValid = ($token['formName'] == $formName)
|
||
&& ($token['action'] == $action)
|
||
&& ($token['formInstanceName'] == $formInstanceName);
|
||
&& ($token['action'] == $action)
|
||
&& ($token['formInstanceName'] == $formInstanceName);
|
||
$this->dropToken($tokenId);
|
||
} else {
|
||
$isValid = FALSE;
|
||
... | ... | |
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<arrray>
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
*/
|
||
abstract protected function retrieveTokens();
|
||
... | ... | |
* Note: This function does not persist the tokens.
|
||
*
|
||
* @param string $tokenId
|
||
* the 32-character ID of an existing token, must not be empty
|
||
* the 32-character ID of an existing token, must not be empty
|
||
*
|
||
* @return void
|
||
*/
|
||
... | ... | |
}
|
||
}
|
||
}
|
||
?>
|
t3lib/formprotection/class.t3lib_formprotection_factory.php (revision ) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formprotection_Factory.
|
||
... | ... | |
*
|
||
* <pre>
|
||
* $formProtection = t3lib_formprotection_Factory::get(
|
||
* 't3lib_formProtection_BackEnd'
|
||
* 't3lib_formProtection_BackEnd'
|
||
* );
|
||
* </pre>
|
||
*
|
||
... | ... | |
*
|
||
* <pre>
|
||
* $formProtection = t3lib_formprotection_Factory::get(
|
||
* 'tx_install_formprotection'
|
||
* 'tx_install_formprotection'
|
||
* );
|
||
* $formProtection->injectInstallTool($this);
|
||
* </pre>
|
||
... | ... | |
/**
|
||
* Private constructor to prevent instantiation.
|
||
*/
|
||
private function __construct() {}
|
||
private function __construct() {
|
||
}
|
||
/**
|
||
* Gets a form protection instance for the requested class $className.
|
||
... | ... | |
* existing instance will be returned.
|
||
*
|
||
* @param string $className
|
||
* the name of the class for which to return an instance, must be
|
||
* the name of the class for which to return an instance, must be
|
||
* "t3lib_formProtection_BackEnd" or "t3lib_formprotection_InstallToolFormProtection"
|
||
* "t3lib_formProtection_BackEnd" or "t3lib_formprotection_InstallToolFormProtection"
|
||
*
|
||
* @return t3lib_formprotection_Abstract the requested instance
|
||
*/
|
||
... | ... | |
if (!class_exists($className, TRUE)) {
|
||
throw new InvalidArgumentException(
|
||
'$className must be the name of an existing class, but ' .
|
||
'actually was "' . $className . '".',
|
||
'actually was "' . $className . '".',
|
||
1285352962
|
||
);
|
||
}
|
||
... | ... | |
if (!$instance instanceof t3lib_formprotection_Abstract) {
|
||
throw new InvalidArgumentException(
|
||
'$className must be a subclass of ' .
|
||
't3lib_formprotection_Abstract, but actually was "' .
|
||
$className . '".',
|
||
't3lib_formprotection_Abstract, but actually was "' .
|
||
$className . '".',
|
||
1285353026
|
||
);
|
||
}
|
||
... | ... | |
* Note: This function is intended for testing purposes only.
|
||
*
|
||
* @param string $className
|
||
* the name of the class for which to set an instance, must be
|
||
* the name of the class for which to set an instance, must be
|
||
* "t3lib_formProtection_BackEnd" or "t3lib_formprotection_InstallToolFormProtection"
|
||
* "t3lib_formProtection_BackEnd" or "t3lib_formprotection_InstallToolFormProtection"
|
||
* @param t3lib_formprotection_Abstract $instance
|
||
* the instance to set
|
||
* the instance to set
|
||
*
|
||
* @return void
|
||
*/
|
t3lib/formprotection/class.t3lib_formprotection_installtoolformprotection.php (revision ) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formprotection_InstallToolFormProtection.
|
||
... | ... | |
*
|
||
* <pre>
|
||
* $formToken = $this->formProtection->generateToken(
|
||
* 'installToolPassword', 'change'
|
||
* 'installToolPassword', 'change'
|
||
* );
|
||
* // then puts the generated form token in a hidden field in the template
|
||
* </pre>
|
||
... | ... | |
*
|
||
* <pre>
|
||
* if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
|
||
* (string) $_POST['formToken'],
|
||
* (string) $_POST['formToken'],
|
||
* 'installToolPassword',
|
||
* 'installToolPassword',
|
||
* 'change'
|
||
* 'change'
|
||
* ) {
|
||
* // processes the data
|
||
* // processes the data
|
||
* } else {
|
||
* // no need to do anything here as the install tool form protection will
|
||
* // no need to do anything here as the install tool form protection will
|
||
* // create an error message for an invalid token
|
||
* // create an error message for an invalid token
|
||
* }
|
||
* </pre>
|
||
*
|
||
... | ... | |
protected function createValidationErrorMessage() {
|
||
$this->installTool->addErrorMessage(
|
||
'Validating the security token of this form has failed. ' .
|
||
'Please reload the form and submit it again.'
|
||
'Please reload the form and submit it again.'
|
||
);
|
||
}
|
||
... | ... | |
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<array>
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
*/
|
||
protected function retrieveTokens() {
|
||
if (isset($_SESSION['installToolFormTokens'])
|