[BUGFIX] Properly escalate if a form HMAC fails to decode

If a HMAC cannot be `json_decode`d (possibly due to old saved pages or other outdated content), now a proper exception is thrown instead of issuing a PHP warning. Resolves: #97337 Releases: main, 12.4, 11.5 Change-Id: I12f5633a85508bf4099d72e474c24b5a0100498c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002 Reviewed-by: Torben Hansen <derhansen@gmail.com> Tested-by: Garvin Hicking <gh@faktor-e.de> Reviewed-by: Garvin Hicking <gh@faktor-e.de> Tested-by: core-ci <typo3@b13.com> Reviewed-by: Benjamin Franzke <ben@bnf.dev> Tested-by: Torben Hansen <derhansen@gmail.com> Tested-by: Benjamin Franzke <ben@bnf.dev>

[BUGFIX] Properly escalate if a form HMAC fails to decode
If a HMAC cannot be `json_decode`d (possibly due to old saved pages or other outdated content), now a proper exception is thrown instead of issuing a PHP warning. Resolves: #97337 Releases: main, 12.4, 11.5 Change-Id: I12f5633a85508bf4099d72e474c24b5a0100498c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002 Reviewed-by: Torben Hansen <derhansen@gmail.com> Tested-by: Garvin Hicking <gh@faktor-e.de> Reviewed-by: Garvin Hicking <gh@faktor-e.de> Tested-by: core-ci <typo3@b13.com> Reviewed-by: Benjamin Franzke <ben@bnf.dev> Tested-by: Torben Hansen <derhansen@gmail.com> Tested-by: Benjamin Franzke <ben@bnf.dev>
68c27e1c · Thomas Hohn · Benjamin Franzke · f0fb23c2 · 68c27e1c · 68c27e1c
Commit 68c27e1c authored 2 years ago by Thomas Hohn Committed by Benjamin Franzke 1 year ago
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -47,6 +47,7 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
        1616175867, // Backend login request is rate limited
        1616175847, // Frontend login request is rate limited
        1436717275, // Request with unsupported HTTP method
+        1699604555, // Outdated __trustedProperties format in extbase property mapping
    ];

    public const IGNORED_HMAC_EXCEPTION_CODES = [

--- a/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php
+++ b/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php
@@ -143,6 +143,13 @@ class MvcPropertyMappingConfigurationService implements SingletonInterface
            throw new BadRequestException('The HMAC of the form could not be validated.', 1581862822);
        }
        $trustedProperties = json_decode($encodedTrustedProperties, true);
+        if (!is_array($trustedProperties)) {
+            if (str_starts_with($encodedTrustedProperties, 'a:')) {
+                throw new BadRequestException('Trusted properties used outdated serialization format instead json.', 1699604555);
+            }
+            throw new BadRequestException('The HMAC of the form could not be utilized.', 1691267306);
+        }
+
        foreach ($trustedProperties as $propertyName => $propertyConfiguration) {
            if (!$controllerArguments->hasArgument($propertyName)) {
                continue;

--- a/typo3/sysext/extbase/Tests/Unit/Mvc/Controller/MvcPropertyMappingConfigurationServiceTest.php
+++ b/typo3/sysext/extbase/Tests/Unit/Mvc/Controller/MvcPropertyMappingConfigurationServiceTest.php
@@ -206,6 +206,50 @@ final class MvcPropertyMappingConfigurationServiceTest extends UnitTestCase
        $requestHashService->initializePropertyMappingConfigurationFromRequest($extbaseRequest, $arguments);
    }

+    /**
+     * @test
+     */
+    public function initializePropertyMappingConfigurationWithNonDecodableTrustedPropertiesThrowsException(): void
+    {
+        $hashService = new HashService();
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'bar';
+        $extbaseAttribute = (new ExtbaseRequestParameters())->setArgument('__trustedProperties', 'garbage' . $hashService->generateHmac('garbage'));
+        $coreRequest = (new ServerRequest())->withAttribute('extbase', $extbaseAttribute);
+        $extbaseRequest = (new Request($coreRequest));
+
+        $arguments = new Arguments();
+        $requestHashService = new MvcPropertyMappingConfigurationService();
+        $requestHashService->injectHashService($hashService);
+
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('The HMAC of the form could not be utilized.');
+        $this->expectExceptionCode(1691267306);
+
+        $requestHashService->initializePropertyMappingConfigurationFromRequest($extbaseRequest, $arguments);
+    }
+
+    /**
+     * @test
+     */
+    public function initializePropertyMappingConfigurationWithOutdatedTrustedPropertiesThrowsException(): void
+    {
+        $hashService = new HashService();
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'bar';
+        $extbaseAttribute = (new ExtbaseRequestParameters())->setArgument('__trustedProperties', 'a:1:{s:3:"foo";s:3:"bar";}' . $hashService->generateHmac('a:1:{s:3:"foo";s:3:"bar";}'));
+        $coreRequest = (new ServerRequest())->withAttribute('extbase', $extbaseAttribute);
+        $extbaseRequest = (new Request($coreRequest));
+
+        $arguments = new Arguments();
+        $requestHashService = new MvcPropertyMappingConfigurationService();
+        $requestHashService->injectHashService($hashService);
+
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('Trusted properties used outdated serialization format instead json.');
+        $this->expectExceptionCode(1699604555);
+
+        $requestHashService->initializePropertyMappingConfigurationFromRequest($extbaseRequest, $arguments);
+    }
+
    /**
     * @test
     */