Bug #91217

hmac-error due to different sorting in config

Added by David Bruchmann 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2020-04-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
hmac, hash, backend, ajax
Complexity:
easy
Is Regression:
Sprint Focus:

Description

I have a case where I have the same array-keys and the same values but different sorting in the config-array.
Array original is this:


"config":{
      ....
      "appearance":{
            ....
            "enabledControls":{
                "info":true,
                "new":true,
                "dragdrop":true,
                "sort":true,
                "hide":true,
                "delete":true,
                "localize":true,
                "0":"info",
                "1":"new",
                "2":"dragdrop",
                "3":"sort",
                "4":"hide",
                "5":"delete",
                "6":"localize" 
            }
            ....
      }
      ....
}

and after ajax-call on server-side its sorted like this:


"config":{
      ....
      "appearance":{
            ....
            "enabledControls":{
                "0":"info",
                "1":"new",
                "2":"dragdrop",
                "3":"sort",
                "4":"hide",
                "5":"delete",
                "6":"localize",
                "info":true,
                "new":true,
                "dragdrop":true,
                "sort":true,
                "hide":true,
                "delete":true,
                "localize":true
            }
            ....
      }
      ....
}

Therefore the hash-comparison fails and the form can't be used.

Attached extension adds a field in table news for content-elements. It can be found in tab "Extra". Clicking on one of both buttons is triggering the error.
Changing the method TYPO3\CMS\Backend\Form\Container\InlineControlContainer::render()
from:

        $this->inlineData['config'][$nameObject] = [
            'table' => $foreign_table,
            'md5' => md5($nameObject)
        ];
        $this->inlineData['config'][$nameObject . '-' . $foreign_table] = [
            'min' => $config['minitems'],
            'max' => $config['maxitems'],
            'sortable' => $config['appearance']['useSortable'],
            'top' => [
                'table' => $top['table'],
                'uid' => $top['uid']
            ],
            'context' => [
                'config' => $config,
                'hmac' => GeneralUtility::hmac(json_encode($config), 'InlineContext'),
            ],
        ];

to this:

        $this->inlineData['config'][$nameObject] = [
            'table' => $foreign_table,
            'md5' => md5($nameObject)
        ];
        $configAltered = $config;
        if (isset($configAltered['appearance']['enabledControls'])) {
            $enabledControls = $configAltered['appearance']['enabledControls'];
            $tmpIntVals = [];
            $tmpStrVals = [];
            foreach ($enabledControls as $key => $enabledControl) {
                if (MathUtility::canBeInterpretedAsInteger($key)) {
                    $tmpIntVals[$key] = $enabledControl;
                } else {
                    $tmpStrVals[$key] = $enabledControl;
                }
            }
            $configAltered['appearance']['enabledControls'] = array_merge($tmpIntVals, $tmpStrVals);
        }
        $this->inlineData['config'][$nameObject . '-' . $foreign_table] = [
            'min' => $configAltered['minitems'],
            'max' => $configAltered['maxitems'],
            'sortable' => $configAltered['appearance']['useSortable'],
            'top' => [
                'table' => $top['table'],
                'uid' => $top['uid']
            ],
            'context' => [
                'config' => $configAltered,
                'hmac' => GeneralUtility::hmac(json_encode($configAltered), 'InlineContext'),
            ],
        ];

... is sorting the concerned array in advance and the hashes are the same on client and server.
The code id neither nice, nor does it take other array-parts in consideration as I primary wanted to test if the calculated hashes are the same then.
Nevertheless together with the extension the fault can be reproduced and the code can serve as base for a solution.

BTW: the field in the extension is bidirectional and shows IRRE-functionality combined with select-dropdown.


Files

wdb_news_snapin.zip (66.4 KB) wdb_news_snapin.zip Extension to reproduce hmac-error David Bruchmann, 2020-04-28 02:59

Related issues

Related to TYPO3 Core - Bug #88094: Opening inline elements failsClosed2019-04-05

Actions
#1

Updated by David Bruchmann 7 months ago

  • Description updated (diff)
#2

Updated by David Bruchmann 7 months ago

Question is if the values with integer-keys are redundant and could be removed completely?

If the integer-keys are NOT regarded as redundant, another question is if the array had to be sorted each time before creating or comparing the hashes.
In my case the sorting worked, question is if it's on every system sorted in the same kind.

As Operating System I used Windows 10 to discover and fix the bug.

#3

Updated by Andreas Fernandez 7 months ago

Could be related to #88094

#4

Updated by Andreas Fernandez 7 months ago

  • Related to Bug #88094: Opening inline elements fails added
#5

Updated by Andreas Fernandez 7 months ago

Well, your TCA is not written as documented here: https://docs.typo3.org/m/typo3/reference-tca/master/en-us/ColumnsConfig/Type/Inline.html

enabledControls (array)
Associative array with the keys ‘info’, ‘new’, ‘dragdrop’, ‘sort’, ‘hide’, ‘delete’, ‘localize’. If the accordant values are set to a boolean value (true or false), the control is shown or hidden in the header of each record.
#6

Updated by Gerrit Code Review 7 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64334

#7

Updated by Gerrit Code Review 7 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64334

#8

Updated by Andreas Fernandez 7 months ago

  • Status changed from Under Review to Needs Feedback

Can you please tell us which TYPO3 version you are using exactly? The related issue #88094 should solve your issue and is included in 9.5.15.

#9

Updated by David Bruchmann 7 months ago

Andreas Otto †, thanks a lot about the hint concerning the new TYPO3 Version on Snap.
I updated to 9.5.16 and it's working well.

The issue can be closed.

#10

Updated by Riccardo De Contardi 7 months ago

  • Status changed from Needs Feedback to Closed

@David Bruchmann thank you for your reply, closing it.

If you think that this is the wrong decision or experience the issue again, please reopen it or ping me on Slack and I'll do.

Thank you

Also available in: Atom PDF