From 3f29e19f683e33b71f8af983aac04860a3124674 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Wed, 3 Jun 2020 13:22:18 +0200
Subject: [PATCH] [TASK] Define callable controller actions

Several custom controller implementations allow calling internal
*Action methods. In order to avoid unintended behavior and to
streamline the application flow those invocations are
defined now explicitly.

ManagementController just had one possible action method and has been
simplified in this regard.

Resolves: #91564
Releases: master, 10.4, 9.5
Change-Id: I9092088ba66504562b42c522883c022955fa6f36
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64667
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
---
 .../sysext/backend/Classes/Controller/HelpController.php | 6 ++++++
 .../Classes/Controller/SiteConfigurationController.php   | 8 ++++++++
 .../Classes/Controller/ManagementController.php          | 9 ++-------
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Controller/HelpController.php b/typo3/sysext/backend/Classes/Controller/HelpController.php
index 78b57cb998ae..1c9683ff33c7 100644
--- a/typo3/sysext/backend/Classes/Controller/HelpController.php
+++ b/typo3/sysext/backend/Classes/Controller/HelpController.php
@@ -38,6 +38,8 @@ use TYPO3Fluid\Fluid\View\ViewInterface;
  */
 class HelpController
 {
+    protected const ALLOWED_ACTIONS = ['index', 'all', 'detail'];
+
     /**
      * Section identifiers
      */
@@ -96,6 +98,10 @@ class HelpController
             }
         }
 
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
 
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);
diff --git a/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php b/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
index adcecdfafca2..04d76fcbea26 100644
--- a/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
+++ b/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
@@ -59,6 +59,8 @@ use TYPO3Fluid\Fluid\View\ViewInterface;
  */
 class SiteConfigurationController
 {
+    protected const ALLOWED_ACTIONS = ['overview', 'edit', 'save', 'delete'];
+
     /**
      * @var ModuleTemplate
      */
@@ -97,7 +99,13 @@ class SiteConfigurationController
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/ContextMenu');
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/Modal');
         $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
+
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
+
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);
         if ($result instanceof ResponseInterface) {
             return $result;
diff --git a/typo3/sysext/redirects/Classes/Controller/ManagementController.php b/typo3/sysext/redirects/Classes/Controller/ManagementController.php
index fcfa1e7d243f..3d47fc7d90d0 100644
--- a/typo3/sysext/redirects/Classes/Controller/ManagementController.php
+++ b/typo3/sysext/redirects/Classes/Controller/ManagementController.php
@@ -83,13 +83,8 @@ class ManagementController
     public function handleRequest(ServerRequestInterface $request): ResponseInterface
     {
         $this->request = $request;
-        $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
-        $this->initializeView($action);
-
-        $result = $this->{$action . 'Action'}($request);
-        if ($result instanceof ResponseInterface) {
-            return $result;
-        }
+        $this->initializeView('overview');
+        $this->overviewAction($request);
         $this->moduleTemplate->setContent($this->view->render());
         return new HtmlResponse($this->moduleTemplate->renderContent());
     }
-- 
GitLab