0debe8cd0e4687750261b72fcd3e434d4b520500
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / FormProtection / InstallToolFormProtection.php
1 <?php
2 namespace TYPO3\CMS\Core\FormProtection;
3
4 /***************************************************************
5 * Copyright notice
6 *
7 * (c) 2010-2013 Oliver Klee <typo3-coding@oliverklee.de>
8 * All rights reserved
9 *
10 * This script is part of the TYPO3 project. The TYPO3 project is
11 * free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * The GNU General Public License can be found at
17 * http://www.gnu.org/copyleft/gpl.html.
18 *
19 * This script is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * This copyright notice MUST APPEAR in all copies of the script!
25 ***************************************************************/
26
27 /**
28 * This class provides protection against cross-site request forgery (XSRF/CSRF)
29 * in the install tool.
30 *
31 *
32 * How to use this in the install tool:
33 *
34 * For each form in the install tool (or link that changes some data), create a
35 * token and insert is as a hidden form element. The name of the form element
36 * does not matter; you only need it to get the form token for verifying it.
37 *
38 * <pre>
39 * $formToken = $this->formProtection->generateToken(
40 * 'installToolPassword', 'change'
41 * );
42 * then puts the generated form token in a hidden field in the template
43 * </pre>
44 *
45 * The three parameters $formName, $action and $formInstanceName can be
46 * arbitrary strings, but they should make the form token as specific as
47 * possible. For different forms (e.g. the password change and editing a the
48 * configuration), those values should be different.
49 *
50 * When processing the data that has been submitted by the form, you can check
51 * that the form token is valid like this:
52 *
53 * <pre>
54 * if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
55 * $_POST['formToken'],
56 * 'installToolPassword',
57 * 'change'
58 * ) {
59 * processes the data
60 * } else {
61 * no need to do anything here as the install tool form protection will
62 * create an error message for an invalid token
63 * }
64 * </pre>
65 */
66 /**
67 * Install Tool form protection
68 *
69 * @author Oliver Klee <typo3-coding@oliverklee.de>
70 */
71 class InstallToolFormProtection extends AbstractFormProtection {
72
73 /**
74 * an instance of the install tool used for displaying messages
75 *
76 * @var \TYPO3\CMS\Install\Installer
77 */
78 protected $installTool = NULL;
79
80 /**
81 * Frees as much memory as possible.
82 */
83 public function __destruct() {
84 $this->installTool = NULL;
85 parent::__destruct();
86 }
87
88 /**
89 * Injects the current instance of the install tool.
90 *
91 * This instance will be used for displaying messages.
92 *
93 * @param \TYPO3\CMS\Install\Installer $installTool the current instance of the install tool
94 * @return void
95 */
96 public function injectInstallTool(\TYPO3\CMS\Install\Installer $installTool) {
97 $this->installTool = $installTool;
98 }
99
100 /**
101 * Creates or displayes an error message telling the user that the submitted
102 * form token is invalid.
103 *
104 * @return void
105 */
106 protected function createValidationErrorMessage() {
107 $this->installTool->addErrorMessage('Validating the security token of this form has failed. ' . 'Please reload the form and submit it again.');
108 }
109
110 /**
111 * Retrieves or generates the session token.
112 *
113 * @return void
114 */
115 protected function retrieveSessionToken() {
116 if (isset($_SESSION['installToolFormToken']) && !empty($_SESSION['installToolFormToken'])) {
117 $this->sessionToken = $_SESSION['installToolFormToken'];
118 } else {
119 $this->sessionToken = $this->generateSessionToken();
120 $this->persistSessionToken();
121 }
122 }
123
124 /**
125 * Saves the tokens so that they can be used by a later incarnation of this
126 * class.
127 *
128 * @return void
129 */
130 public function persistSessionToken() {
131 $_SESSION['installToolFormToken'] = $this->sessionToken;
132 }
133
134 }
135
136
137 ?>