From 93b7b68a6097edca48bdc0b5b07ec4995715e364 Mon Sep 17 00:00:00 2001
From: Thomas Hohn <tho@gyldendal.dk>
Date: Tue, 10 Sep 2024 11:57:36 +0200
Subject: [PATCH] [BUGFIX] Undefined array key "contentSecurityPolicies"

If the 'contentSecurityPolicies' value is not filled properly
in the site configuration, the call to
$site->getConfiguration()['contentSecurityPolicies'] will fail.
The access should we guarded with a null coalescing operator.

Resolves: #104873
Releases: main, 12.4
Change-Id: Ie49a25d8ca9a194629c4a389b17b299091d44031
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85977
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Benni Mack <benni@typo3.org>
---
 .../Security/ContentSecurityPolicy/MutationRepository.php       | 2 +-
 .../Classes/Middleware/ContentSecurityPolicyHeaders.php         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/MutationRepository.php b/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/MutationRepository.php
index b48141b41d1a..c4b5da45bb74 100644
--- a/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/MutationRepository.php
+++ b/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/MutationRepository.php
@@ -114,7 +114,7 @@ final class MutationRepository
             $scopedTarget = $this->provideScopeInMap($scope, $this->resolvedMutations);
             // fetch site-specific `enforce` and/or `report` disposition configuration
             $dispositionMap = $this->dispositionMapFactory->buildDispositionMap(
-                $site->getConfiguration()['contentSecurityPolicies']
+                $site->getConfiguration()['contentSecurityPolicies'] ?? []
             );
             /**
              * @var Disposition $disposition
diff --git a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
index 329b3da7e229..609128da00a8 100644
--- a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
+++ b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
@@ -51,7 +51,7 @@ final readonly class ContentSecurityPolicyHeaders implements MiddlewareInterface
     {
         $site = $request->getAttribute('site');
         $dispositionMap = $this->dispositionMapFactory->buildDispositionMap(
-            $site instanceof Site ? $site->getConfiguration()['contentSecurityPolicies'] : []
+            $site instanceof Site ? ($site->getConfiguration()['contentSecurityPolicies'] ?? []) : []
         );
         // return early in case CSP shall not be used
         if ($dispositionMap->keys() === []) {
-- 
GitLab