From c4b3d426636aecea8b1458d743d505b1074b448d Mon Sep 17 00:00:00 2001
From: Nicole Cordes <typo3@cordes.co>
Date: Tue, 7 Jun 2016 09:38:06 +0200
Subject: [PATCH] [TASK] Clean up DebuggerUtility
This patch cleans up the DebuggerUtility and fixing two issues:
* removes possible XSS
* makes it more readable
Resolves: #76478
Releases: master, 7.6, 6.2
Change-Id: If1a68489cd97521e90f8d76cc2810649f9642cd1
Reviewed-on: https://review.typo3.org/48472
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
---
.../Classes/Utility/DebuggerUtility.php | 136 ++++++++++--------
1 file changed, 78 insertions(+), 58 deletions(-)
diff --git a/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php b/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
index 2434fe1d87c5..d100e881258f 100644
--- a/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
+++ b/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
@@ -265,39 +265,41 @@ class DebuggerUtility
} else {
$dump .= '<span class="extbase-debug-type">' . $className . '</span>';
}
- if ($object instanceof \TYPO3\CMS\Core\SingletonInterface) {
- $scope = 'singleton';
- } else {
- $scope = 'prototype';
- }
- if ($plainText) {
- $dump .= ' ' . self::ansiEscapeWrap($scope, '44;37', $ansiColors);
- } else {
- $dump .= $scope ? '<span class="extbase-debug-scope">' . $scope . '</span>' : '';
- }
- if ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractDomainObject) {
- if ($object->_isDirty()) {
+ if (! $object instanceof \Closure) {
+ if ($object instanceof \TYPO3\CMS\Core\SingletonInterface) {
+ $scope = 'singleton';
+ } else {
+ $scope = 'prototype';
+ }
+ if ($plainText) {
+ $dump .= ' ' . self::ansiEscapeWrap($scope, '44;37', $ansiColors);
+ } else {
+ $dump .= $scope ? '<span class="extbase-debug-scope">' . $scope . '</span>' : '';
+ }
+ if ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractDomainObject) {
+ if ($object->_isDirty()) {
+ $persistenceType = 'modified';
+ } elseif ($object->_isNew()) {
+ $persistenceType = 'transient';
+ } else {
+ $persistenceType = 'persistent';
+ }
+ }
+ if ($object instanceof \TYPO3\CMS\Extbase\Persistence\ObjectStorage && $object->_isDirty()) {
$persistenceType = 'modified';
- } elseif ($object->_isNew()) {
- $persistenceType = 'transient';
+ }
+ if ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractEntity) {
+ $domainObjectType = 'entity';
+ } elseif ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractValueObject) {
+ $domainObjectType = 'valueobject';
} else {
- $persistenceType = 'persistent';
+ $domainObjectType = 'object';
+ }
+ if ($plainText) {
+ $dump .= ' ' . self::ansiEscapeWrap((($persistenceType ? $persistenceType . ' ' : '') . $domainObjectType), '42;30', $ansiColors);
+ } else {
+ $dump .= '<span class="extbase-debug-ptype">' . ($persistenceType ? $persistenceType . ' ' : '') . $domainObjectType . '</span>';
}
- }
- if ($object instanceof \TYPO3\CMS\Extbase\Persistence\ObjectStorage && $object->_isDirty()) {
- $persistenceType = 'modified';
- }
- if ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractEntity) {
- $domainObjectType = 'entity';
- } elseif ($object instanceof \TYPO3\CMS\Extbase\DomainObject\AbstractValueObject) {
- $domainObjectType = 'valueobject';
- } else {
- $domainObjectType = 'object';
- }
- if ($plainText) {
- $dump .= ' ' . self::ansiEscapeWrap((($persistenceType ? $persistenceType . ' ' : '') . $domainObjectType), '42;30', $ansiColors);
- } else {
- $dump .= '<span class="extbase-debug-ptype">' . ($persistenceType ? $persistenceType . ' ' : '') . $domainObjectType . '</span>';
}
if (strpos(implode('|', self::$blacklistedClassNames), get_class($object)) > 0) {
if ($plainText) {
@@ -358,44 +360,57 @@ class DebuggerUtility
$reflectionFunction = new \ReflectionFunction($object);
$params = [];
foreach ($reflectionFunction->getParameters() as $parameter) {
- $s = '';
+ $parameterDump = '';
if ($parameter->isArray()) {
- $s .= ($plainText ? '' : '<span class="extbase-debug-type">')
- . self::ansiEscapeWrap('array ', '36', $ansiColors)
- . ($plainText ? '' : '</span>');
- } else {
- if ($parameter->getClass()) {
- $s .= ($plainText ? '' : '<span class="extbase-debug-type">')
- . self::ansiEscapeWrap($parameter->getClass()->name . ' ', '36', $ansiColors)
- . ($plainText ? '' : '</span>');
+ if ($plainText) {
+ $parameterDump .= self::ansiEscapeWrap('array ', '36', $ansiColors);
+ } else {
+ $parameterDump .= '<span class="extbase-debug-type">array </span>';
+ }
+ } elseif ($parameter->getClass()) {
+ if ($plainText) {
+ $parameterDump .= self::ansiEscapeWrap($parameter->getClass()->name . ' ', '36', $ansiColors);
+ } else {
+ $parameterDump .= '<span class="extbase-debug-type">'
+ . htmlspecialchars($parameter->getClass()->name) . '</span>';
}
}
if ($parameter->isPassedByReference()) {
- $s .= '&';
+ $parameterDump .= '&';
+ }
+ if ($plainText) {
+ $parameterDump .= self::ansiEscapeWrap('$' . $parameter->name, '37', $ansiColors);
+ } else {
+ $parameterDump .= '<span class="extbase-debug-property">'
+ . htmlspecialchars('$' . $parameter->name) . '</span>';
}
- $s .= ($plainText ? '' : '<span class="extbase-debug-property">')
- . self::ansiEscapeWrap('$' . $parameter->name, '37', $ansiColors)
- . ($plainText ? '' : '</span>');
if ($parameter->isOptional()) {
- $s .= ' = ';
- $s .= ($plainText ? '' : '<span class="extbase-debug-string">')
- . self::ansiEscapeWrap(var_export($parameter->getDefaultValue(), true), '33', $ansiColors)
- . ($plainText ? '' : '</span>');
+ $parameterDump .= ' = ';
+ if ($plainText) {
+ $parameterDump .= self::ansiEscapeWrap(var_export($parameter->getDefaultValue(), true), '33', $ansiColors);
+ } else {
+ $parameterDump .= '<span class="extbase-debug-string">'
+ . htmlspecialchars(var_export($parameter->getDefaultValue(), true)) . '</span>';
+ }
}
- $params[] = $s;
+ $params[] = $parameterDump;
}
$dump .= implode(', ', $params);
- $dump .= ($plainText ? '' : '<span class="extbase-debug-closure">')
- . self::ansiEscapeWrap(') {' . PHP_EOL, '33', $ansiColors)
- . ($plainText ? '' : '</span>');
+ if ($plainText) {
+ $dump .= self::ansiEscapeWrap(') {' . PHP_EOL, '33', $ansiColors);
+ } else {
+ $dump .= '<span class="extbase-debug-closure">) {' . PHP_EOL . '</span>';
+ }
$lines = file($reflectionFunction->getFileName());
for ($l = $reflectionFunction->getStartLine(); $l < $reflectionFunction->getEndLine() -1; ++$l) {
$dump .= $plainText ? $lines[$l] : htmlspecialchars($lines[$l]);
}
- $dump .=
- str_repeat(self::PLAINTEXT_INDENT, $level)
- . ($plainText ? '' : '<span class="extbase-debug-closure">') . self::ansiEscapeWrap('}' . PHP_EOL, '33', $ansiColors)
- . ($plainText ? '' : '</span>');
+ $dump .= str_repeat(self::PLAINTEXT_INDENT, $level);
+ if ($plainText) {
+ $dump .= self::ansiEscapeWrap('}' . PHP_EOL, '33', $ansiColors);
+ } else {
+ $dump .= '<span class="extbase-debug-closure">}</span>';
+ }
} else {
if (get_class($object) === 'stdClass') {
$objReflection = new \ReflectionObject($object);
@@ -408,9 +423,14 @@ class DebuggerUtility
if (self::isBlacklisted($property)) {
continue;
}
- $dump .= PHP_EOL . str_repeat(self::PLAINTEXT_INDENT,
- $level) . ($plainText ? '' : '<span class="extbase-debug-property">') . self::ansiEscapeWrap($property->getName(),
- '37', $ansiColors) . ($plainText ? '' : '</span>') . ' => ';
+ $dump .= PHP_EOL . str_repeat(self::PLAINTEXT_INDENT, $level);
+ if ($plainText) {
+ $dump .= self::ansiEscapeWrap($property->getName(), '37', $ansiColors);
+ } else {
+ $dump .= '<span class="extbase-debug-property">'
+ . htmlspecialchars($property->getName()) . '</span>';
+ }
+ $dump .= ' => ';
$property->setAccessible(true);
$visibility = ($property->isProtected() ? 'protected' : ($property->isPrivate() ? 'private' : 'public'));
if ($plainText) {
--
GitLab