From b5ca2c1a6e162dae4c82fe524983680c2056ac65 Mon Sep 17 00:00:00 2001
From: Helmut Hummel <info@helhum.io>
Date: Fri, 2 Dec 2016 23:52:07 +0100
Subject: [PATCH] [TASK] Remove compatiblity code added for security release
Remove the overhead that was added to avoid BC breaks for
extension code that subclassed the form view helper.
Enough time is now passed so that extensions can adopt their
subclasses so that the security related hidden field is added as well.
These adaptions will then be compatible with all TYPO3 versions
so that this change here is not marked as breaking.
Resolves: #78869
Releases: master
Change-Id: I910bc26cd57b7629e57332fdab3d57032f0c2478
Reviewed-on: https://review.typo3.org/50863
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
---
.../Classes/ViewHelpers/FormViewHelper.php | 67 +++----------------
1 file changed, 8 insertions(+), 59 deletions(-)
diff --git a/typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php b/typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
index 7d3abc3a1a94..e8db124390c8 100644
--- a/typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
+++ b/typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
@@ -158,7 +158,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
$content .= $this->renderHiddenIdentityField($this->arguments['object'], $this->getFormObjectName());
$content .= $this->renderAdditionalIdentityFields();
$content .= $this->renderHiddenReferrerFields();
- $content .= $this->renderHiddenSecuredReferrerField();
// Render the trusted list of all properties after everything else has been rendered
$content .= $this->renderTrustedPropertiesField();
@@ -171,7 +170,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
$this->removeFormObjectNameFromViewHelperVariableContainer();
$this->removeFormFieldNamesFromViewHelperVariableContainer();
$this->removeCheckboxFieldNamesFromViewHelperVariableContainer();
- $this->removeSecuredHiddenFieldsRenderedFromViewHelperVariableContainer();
return $this->tag->render();
}
@@ -243,46 +241,23 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
$vendorName = $request->getControllerVendorName();
$controllerName = $request->getControllerName();
$actionName = $request->getControllerActionName();
+ $actionRequest = [
+ '@extension' => $extensionName,
+ '@controller' => $controllerName,
+ '@action' => $actionName,
+ ];
+
$result = LF;
$result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@extension]') . '" value="' . $extensionName . '" />' . LF;
if ($vendorName !== null) {
$result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@vendor]') . '" value="' . $vendorName . '" />' . LF;
+ $actionRequest['@vendor'] = $vendorName;
}
$result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@controller]') . '" value="' . $controllerName . '" />' . LF;
$result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@action]') . '" value="' . $actionName . '" />' . LF;
$result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[arguments]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(base64_encode(serialize($request->getArguments())))) . '" />' . LF;
- $result .= $this->renderHiddenSecuredReferrerField();
-
- return $result;
- }
+ $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(serialize($actionRequest))) . '" />' . LF;
- /**
- * Renders hidden form field for secured referrer information about the current controller and action.
- *
- * This method is called twice, to deal with subclasses of this class in a most compatible way
- *
- * @return string Hidden field with secured referrer information
- */
- protected function renderHiddenSecuredReferrerField()
- {
- if ($this->hasSecuredHiddenFieldsRendered()) {
- return '';
- }
- $request = $this->renderingContext->getControllerContext()->getRequest();
- $extensionName = $request->getControllerExtensionName();
- $vendorName = $request->getControllerVendorName();
- $controllerName = $request->getControllerName();
- $actionName = $request->getControllerActionName();
- $actionRequest = [
- '@extension' => $extensionName,
- '@controller' => $controllerName,
- '@action' => $actionName,
- ];
- if ($vendorName !== null) {
- $actionRequest['@vendor'] = $vendorName;
- }
- $result = '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(serialize($actionRequest))) . '" />' . LF;
- $this->addSecuredHiddenFieldsRenderedToViewHelperVariableContainer();
return $result;
}
@@ -398,32 +373,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
}
}
- /**
- * Adds flag to indicate the secured hidden fields have been rendered to the ViewHelperVariableContainer
- */
- protected function addSecuredHiddenFieldsRenderedToViewHelperVariableContainer()
- {
- $this->viewHelperVariableContainer->add(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered', true);
- }
-
- /**
- * Checks whether the secured hidden fields have been rendered
- *
- * @return bool
- */
- protected function hasSecuredHiddenFieldsRendered()
- {
- return $this->viewHelperVariableContainer->exists(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered');
- }
-
- /**
- * Removes flag to indicate the secured hidden fields have been rendered from the ViewHelperVariableContainer
- */
- protected function removeSecuredHiddenFieldsRenderedFromViewHelperVariableContainer()
- {
- $this->viewHelperVariableContainer->remove(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered');
- }
-
/**
* Render the request hash field
*
--
GitLab