Bug #88094
closed
Opening inline elements fails
100%
Description
Opening inline elements fails with error `1489751363: Hash does not validate` when sorting of numeric array keys is not ascending.
How to reproduce:
The following TCA is given:
$GLOBALS['TCA']['tx_foo']['columns']['image']['config'] = \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::getFileFieldTCAConfig(
'image',
[
'overrideChildTca' => [
'types' => [
\TYPO3\CMS\Core\Resource\File::FILETYPE_IMAGE => [
'showitem' => 'some_fields',
],
\TYPO3\CMS\Core\Resource\File::FILETYPE_UNKNOWN => [
'showitem' => 'some_fields',
],
],
],
],
),
Good to know:
Value of \TYPO3\CMS\Core\Resource\File::FILETYPE_IMAGE is "2".
Value of \TYPO3\CMS\Core\Resource\File::FILETYPE_UNKNOWN is "0"
The JSON the server generates when rendering the inline element is:
{
"config": {
"overrideChildTca": {
"types": {
"2": {
"showitem": "some_fields"
},
"0": {
"showitem": "some_fields"
}
}
}
}
}
When you now try to expand the collapsed inline element you will get the error described above.
The Browser (latest Chrome) sends following JSON to the server:
{
"config": {
"overrideChildTca": {
"types": {
"0": {
"showitem": "some_fields"
}
"2": {
"showitem": "some_fields"
}
}
}
}
}
Now the ordering of the elements is ascending and the hmac comparison fails.
And yes, the solution is to rearrange the order of the elements in the TCA, but in my opinion that is not the way we should go.
Files
Updated by filigivuji filigivuji over 5 years ago
- File issue88094-fix.diff issue88094-fix.diff added
- Complexity set to easy
The issue is that the "context" data (over which the hmac is computed) is sent to the browser as a JSON object, which the browser then encodes again using JSON.stringify() when making an AJAX call. However, JavaScript's JSON.stringify does not guarantee to return the same string as PHP's json_encode, e.g. because JSON objects do not have a defined order[0].
The fix is to pass the "context" as a string and not as a JSON object. I've created and attached a patch based on TYPO3 9.5.7 which implements this which fixes this issue in my tests. (I cannot log in to review.typo3.org, so I can't create a change in Gerrit.)
I had this issue with the Gridelements extension, which had a "columns" key (so alphabetic and not numeric) in the "overrideChildTca" object when adding an image to a Gridelements content element.
TYPO3 generated this context JSON (beautified for better readability):
{
"type": "inline",
...
"overrideChildTca": {
"0": {
"showitem": "--palette--;LLL:EXT:lang\/locallang_tca.xlf:sys_file_reference.imageoverlayPalette;imageoverlayPalette, --palette--;;filePalette"
},
...
"columns": {
"uid_local": {
"config": {
"appearance": {
"elementBrowserType": "file",
"elementBrowserAllowed": ""
}
}
}
},
},
...
}
However the JavaScript used the following in its AJAX call in Chromium (via JSON.stringify):
{
"type": "inline",
...
"overrideChildTca": {
"columns": {
"uid_local": {
"config": {
"appearance": {
"elementBrowserType": "file",
"elementBrowserAllowed": ""
}
}
}
},
"0": {
"showitem": "--palette--;LLL:EXT:lang\/locallang_tca.xlf:sys_file_reference.imageoverlayPalette;imageoverlayPalette, --palette--;;filePalette"
},
...
},
...
}
Note that even if all keys were numeric, one cannot rely on JSON.stringify to order the object keys numerically. That's why in my patch I just pass around the context as a string.
[0]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify "Properties of non-array objects are not guaranteed to be stringified in any particular order. Do not rely on ordering of properties within the same object within the stringification."
Updated by Gerrit Code Review over 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61042
Updated by Gerrit Code Review over 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61042
Updated by Benni Mack over 4 years ago
- Status changed from Under Review to Needs Feedback
Updated by
Updated by Benni Mack over 4 years ago
- Status changed from Needs Feedback to Accepted
Updated by Gerrit Code Review over 4 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63808
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63786
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63825
Updated by Andreas Fernandez over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 0f1281410f62bdf94c78736ea4e41ca2618fab44.
Updated by Andreas Kienast over 4 years ago
- Related to Bug #91217: hmac-error due to different sorting in config added