[TASK] Switch to json_encode/json_decode for Extbase arguments

Extbase argument mapping and request building can be optimized
by using json_encode instead of serialize which is a bit more
"space-saving".

Besides that information in [__referrer][arguments] is dropped
which was supposed to have happened in TYPO3 v8 already.

Resolves: #88682
Releases: master
Change-Id: Ifbb4192803378b1c1984405bdca04c282b8f4335
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61223


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
Tested-by: Johannes Seipelt <johannes.seipelt@3m5.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
Reviewed-by: Johannes Seipelt <johannes.seipelt@3m5.de>

typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php

@@ -107,7 +107,7 @@ class MvcPropertyMappingConfigurationService implements \TYPO3\CMS\Core\Singleto
      */
     protected function serializeAndHashFormFieldArray(array $formFieldArray)
     {
-        $serializedFormFieldArray = serialize($formFieldArray);
+        $serializedFormFieldArray = json_encode($formFieldArray);
         return $this->hashService->appendHmac($serializedFormFieldArray);
     }
 
@@ -126,7 +126,7 @@ class MvcPropertyMappingConfigurationService implements \TYPO3\CMS\Core\Singleto
         }
 
         $serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken);
-        $trustedProperties = unserialize($serializedTrustedProperties);
+        $trustedProperties = json_decode($serializedTrustedProperties, true);
         foreach ($trustedProperties as $propertyName => $propertyConfiguration) {
             if (!$controllerArguments->hasArgument($propertyName)) {
                 continue;

typo3/sysext/extbase/Classes/Mvc/Web/Request.php

@@ -187,12 +187,8 @@ class Request extends \TYPO3\CMS\Extbase\Mvc\Request
     public function getReferringRequest()
     {
         if (isset($this->internalArguments['__referrer']['@request'])) {
-            $referrerArray = unserialize($this->hashService->validateAndStripHmac($this->internalArguments['__referrer']['@request']));
+            $referrerArray = json_decode($this->hashService->validateAndStripHmac($this->internalArguments['__referrer']['@request']), true);
             $arguments = [];
-            if (isset($this->internalArguments['__referrer']['arguments'])) {
-                // This case is kept for compatibility in 7.6 and 6.2, but will be removed in 8
-                $arguments = unserialize(base64_decode($this->hashService->validateAndStripHmac($this->internalArguments['__referrer']['arguments'])));
-            }
             // todo: Creating a referring request object here with a new statement is strange.
             // todo: As request objects have inject methods and are still meant to be created via object manager,
             // todo: this creates a partly non functional object. This is ok here as only the arguments matter, but

typo3/sysext/extbase/Tests/Functional/Mvc/Validation/ActionControllerValidationTest.php

@@ -80,7 +80,7 @@ class ActionControllerValidationTest extends FunctionalTestCase
         $referrerRequest['@action'] = 'testForm';
         $request->setArgument(
             '__referrer',
-            ['@request' => $this->getHashService()->appendHmac(serialize($referrerRequest))]
+            ['@request' => $this->getHashService()->appendHmac(json_encode($referrerRequest))]
         );
 
         while (!$request->isDispatched()) {
@@ -143,7 +143,7 @@ class ActionControllerValidationTest extends FunctionalTestCase
         $referrerRequest['@action'] = 'testForm';
         $request->setArgument(
             '__referrer',
-            ['@request' => $this->getHashService()->appendHmac(serialize($referrerRequest))]
+            ['@request' => $this->getHashService()->appendHmac(json_encode($referrerRequest))]
         );
 
         while (!$request->isDispatched()) {

typo3/sysext/extbase/Tests/Unit/Mvc/Controller/MvcPropertyMappingConfigurationServiceTest.php

@@ -159,14 +159,14 @@ class MvcPropertyMappingConfigurationServiceTest extends UnitTestCase
         $hashService = $this->getMockBuilder($this->buildAccessibleProxy(\TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService::class))
             ->setMethods(['appendHmac'])
             ->getMock();
-        $hashService->expects($this->once())->method('appendHmac')->with(serialize($formFieldArray))->will($this->returnValue(serialize($formFieldArray) . $mockHash));
+        $hashService->expects($this->once())->method('appendHmac')->with(json_encode($formFieldArray))->will($this->returnValue(json_encode($formFieldArray) . $mockHash));
 
         $requestHashService = $this->getMockBuilder($this->buildAccessibleProxy(\TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService::class))
             ->setMethods(['dummy'])
             ->getMock();
         $requestHashService->_set('hashService', $hashService);
 
-        $expected = serialize($formFieldArray) . $mockHash;
+        $expected = json_encode($formFieldArray) . $mockHash;
         $actual = $requestHashService->_call('serializeAndHashFormFieldArray', $formFieldArray);
         $this->assertEquals($expected, $actual);
     }
@@ -302,7 +302,7 @@ class MvcPropertyMappingConfigurationServiceTest extends UnitTestCase
         $mockHashService = $this->getMockBuilder(\TYPO3\CMS\Extbase\Security\Cryptography\HashService::class)
             ->setMethods(['validateAndStripHmac'])
             ->getMock();
-        $mockHashService->expects($this->once())->method('validateAndStripHmac')->with('fooTrustedProperties')->will($this->returnValue(serialize($trustedProperties)));
+        $mockHashService->expects($this->once())->method('validateAndStripHmac')->with('fooTrustedProperties')->will($this->returnValue(json_encode($trustedProperties)));
 
         $requestHashService = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService::class, ['dummy']);
         $requestHashService->_set('hashService', $mockHashService);

typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php

@@ -268,8 +268,7 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@extension]') . '" value="' . $extensionName . '" />' . LF;
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@controller]') . '" value="' . $controllerName . '" />' . LF;
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@action]') . '" value="' . $actionName . '" />' . LF;
-        $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[arguments]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(base64_encode(serialize($request->getArguments())))) . '" />' . LF;
-        $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(serialize($actionRequest))) . '" />' . LF;
+        $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(json_encode($actionRequest))) . '" />' . LF;
 
         return $result;
     }

typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php

@@ -258,7 +258,6 @@ class FormViewHelperTest extends ViewHelperBaseTestcase
         $expectedResult =  \chr(10) . '<input type="hidden" name="__referrer[@extension]" value="extensionName" />'
             . \chr(10) . '<input type="hidden" name="__referrer[@controller]" value="controllerName" />'
             . \chr(10) . '<input type="hidden" name="__referrer[@action]" value="controllerActionName" />'
-            . \chr(10) . '<input type="hidden" name="__referrer[arguments]" value="" />'
             . \chr(10) . '<input type="hidden" name="__referrer[@request]" value="" />' . \chr(10);
         $viewHelper->_set('tag', $this->tagBuilder);
         $this->assertEquals($expectedResult, $hiddenFields);