[BUGFIX] ClassLoader exits early for invalid class names
[Packages/TYPO3.CMS.git] / typo3 / ajax.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2007-2013 Benjamin Mack
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the text file GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27
28 /**
29 * AJAX dispatcher
30 *
31 * @author Benjamin Mack <mack@xnos.org>
32 */
33
34 $TYPO3_AJAX = TRUE;
35
36 // This is a list of requests that don't necessarily need a valid BE user
37 $noUserAjaxIDs = array(
38 'BackendLogin::login',
39 'BackendLogin::logout',
40 'BackendLogin::refreshLogin',
41 'BackendLogin::isTimedOut',
42 'BackendLogin::getChallenge',
43 'BackendLogin::getRsaPublicKey',
44 );
45
46 // First get the ajaxID
47 $ajaxID = isset($_POST['ajaxID']) ? $_POST['ajaxID'] : $_GET['ajaxID'];
48 if (isset($ajaxID)) {
49 $ajaxID = (string)stripslashes($ajaxID);
50 }
51
52 // If we're trying to do an ajax login, don't require a user.
53 if (in_array($ajaxID, $noUserAjaxIDs)) {
54 define('TYPO3_PROCEED_IF_NO_USER', 2);
55 }
56
57 require __DIR__ . '/init.php';
58
59 // Finding the script path from the registry
60 $ajaxRegistryEntry = isset($GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID]) ? $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID] : NULL;
61 $ajaxScript = NULL;
62 $csrfTokenCheck = FALSE;
63 if ($ajaxRegistryEntry !== NULL) {
64 if (is_array($ajaxRegistryEntry)) {
65 if (isset($ajaxRegistryEntry['callbackMethod'])) {
66 $ajaxScript = $ajaxRegistryEntry['callbackMethod'];
67 $csrfTokenCheck = $ajaxRegistryEntry['csrfTokenCheck'];
68 }
69 } else {
70 // @Deprecated since 6.2 will be removed two versions later
71 $ajaxScript = $ajaxRegistryEntry;
72 }
73 }
74
75 // Instantiating the AJAX object
76 $ajaxObj = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Http\\AjaxRequestHandler', $ajaxID);
77 $ajaxParams = array();
78
79 // Evaluating the arguments and calling the AJAX method/function
80 if (empty($ajaxID)) {
81 $ajaxObj->setError('No valid ajaxID parameter given.');
82 } elseif (empty($ajaxScript)) {
83 $ajaxObj->setError('No backend function registered for ajaxID "' . $ajaxID . '".');
84 } else {
85 $success = TRUE;
86 $tokenIsValid = TRUE;
87 if ($csrfTokenCheck) {
88 $tokenIsValid = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()->validateToken(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('ajaxToken'), 'ajaxCall', $ajaxID);
89 }
90 if ($tokenIsValid) {
91 // Cleanup global variable space
92 unset($csrfTokenCheck, $ajaxRegistryEntry, $tokenIsValid, $success);
93 $success = \TYPO3\CMS\Core\Utility\GeneralUtility::callUserFunction($ajaxScript, $ajaxParams, $ajaxObj, FALSE, TRUE);
94 } else {
95 $ajaxObj->setError('Invalid CSRF token detected for ajaxID "' . $ajaxID . '"!');
96 }
97 if ($success === FALSE) {
98 $ajaxObj->setError('Registered backend function for ajaxID "' . $ajaxID . '" was not found.');
99 }
100 }
101
102 // Outputting the content (and setting the X-JSON-Header)
103 $ajaxObj->render();