Fixed bug #16574: PHP notices from XCLASS inclusions
[Packages/TYPO3.CMS.git] / t3lib / formprotection / class.t3lib_formprotection_installtoolformprotection.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24
25 /**
26 * Class t3lib_formprotection_InstallToolFormProtection.
27 *
28 * This class provides protection against cross-site request forgery (XSRF/CSRF)
29 * in the install tool.
30 *
31 *
32 * How to use this in the install tool:
33 *
34 * For each form in the install tool (or link that changes some data), create a
35 * token and insert is as a hidden form element. The name of the form element
36 * does not matter; you only need it to get the form token for verifying it.
37 *
38 * <pre>
39 * $formToken = $this->formProtection->generateToken(
40 * 'installToolPassword', 'change'
41 * );
42 * // then puts the generated form token in a hidden field in the template
43 * </pre>
44 *
45 * The three parameters $formName, $action and $formInstanceName can be
46 * arbitrary strings, but they should make the form token as specific as
47 * possible. For different forms (e.g. the password change and editing a the
48 * configuration), those values should be different.
49 *
50 * At the end of the form, you need to persist the tokens. This makes sure that
51 * generated tokens get saved, and also that removed tokens stay removed:
52 *
53 * <pre>
54 * $this->formProtection()->persistTokens();
55 * </pre>
56 *
57 *
58 * When processing the data that has been submitted by the form, you can check
59 * that the form token is valid like this:
60 *
61 * <pre>
62 * if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
63 * (string) $_POST['formToken'],
64 * 'installToolPassword',
65 * 'change'
66 * ) {
67 * // processes the data
68 * } else {
69 * // no need to do anything here as the install tool form protection will
70 * // create an error message for an invalid token
71 * }
72 * </pre>
73 *
74 * Note that validateToken invalidates the token with the token ID. So calling
75 * validate with the same parameters two times in a row will always return FALSE
76 * for the second call.
77 *
78 * It is important that the tokens get validated <em>before</em> the tokens are
79 * persisted. This makes sure that the tokens that get invalidated by
80 * validateToken cannot be used again.
81 *
82 * $Id$
83 *
84 * @package TYPO3
85 * @subpackage t3lib
86 *
87 * @author Oliver Klee <typo3-coding@oliverklee.de>
88 */
89 class t3lib_formprotection_InstallToolFormProtection extends t3lib_formProtection_Abstract {
90 /**
91 * the maximum number of tokens that can exist at the same time
92 *
93 * @var integer
94 */
95 protected $maximumNumberOfTokens = 100;
96
97 /**
98 * an instance of the install tool used for displaying messages
99 *
100 * @var tx_install
101 */
102 protected $installTool = NULL;
103
104 /**
105 * Frees as much memory as possible.
106 */
107 public function __destruct() {
108 $this->installTool = NULL;
109 parent::__destruct();
110 }
111
112 /**
113 * Injects the current instance of the install tool.
114 *
115 * This instance will be used for displaying messages.
116 *
117 * @param tx_install $installTool the current instance of the install tool
118 *
119 * @return void
120 */
121 public function injectInstallTool(tx_install $installTool) {
122 $this->installTool = $installTool;
123 }
124
125 /**
126 * Creates or displayes an error message telling the user that the submitted
127 * form token is invalid.
128 *
129 * @return void
130 */
131 protected function createValidationErrorMessage() {
132 $this->installTool->addErrorMessage(
133 'Validating the security token of this form has failed. ' .
134 'Please reload the form and submit it again.'
135 );
136 }
137
138 /**
139 * Retrieves all saved tokens.
140 *
141 * @return array<array>
142 * the saved tokens, will be empty if no tokens have been saved
143 */
144 protected function retrieveTokens() {
145 if (isset($_SESSION['installToolFormTokens'])
146 && is_array($_SESSION['installToolFormTokens'])
147 ) {
148 $this->tokens = $_SESSION['installToolFormTokens'];
149 } else {
150 $this->tokens = array();
151 }
152 }
153
154 /**
155 * Saves the tokens so that they can be used by a later incarnation of this
156 * class.
157 *
158 * @return void
159 */
160 public function persistTokens() {
161 $_SESSION['installToolFormTokens'] = $this->tokens;
162 }
163 }
164
165 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php'])) {
166 include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php']);
167 }
168 ?>