[SECURITY] Disallow access to fallback storage '0'
[Packages/TYPO3.CMS.git] / typo3 / sysext / filelist / Classes / Controller / FileListController.php
1 <?php
2 namespace TYPO3\CMS\Filelist\Controller;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Backend\Template\DocumentTemplate;
18 use TYPO3\CMS\Backend\Utility\BackendUtility;
19 use TYPO3\CMS\Backend\Utility\IconUtility;
20 use TYPO3\CMS\Core\Messaging\FlashMessage;
21 use TYPO3\CMS\Core\Resource\Exception;
22 use TYPO3\CMS\Core\Resource\ResourceFactory;
23 use TYPO3\CMS\Core\Resource\Utility\ListUtility;
24 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
25 use TYPO3\CMS\Core\Utility\File\ExtendedFileUtility;
26 use TYPO3\CMS\Core\Utility\GeneralUtility;
27 use TYPO3\CMS\Core\Utility\MathUtility;
28 use TYPO3\CMS\Filelist\FileList;
29
30 /**
31 * Script Class for creating the list of files in the File > Filelist module
32 *
33 * @author Kasper Skårhøj <kasperYYYY@typo3.com>
34 */
35 class FileListController {
36
37 /**
38 * Module configuration
39 *
40 * @var array
41 * @deprecated since TYPO3 CMS 7, will be removed in TYPO3 CMS 8. The Module gets configured by ExtensionManagementUtility::addModule() in ext_tables.php
42 */
43 public $MCONF = array();
44
45 /**
46 * @var array
47 */
48 public $MOD_MENU = array();
49
50 /**
51 * @var array
52 */
53 public $MOD_SETTINGS = array();
54
55 /**
56 * Accumulated HTML output
57 *
58 * @var string
59 */
60 public $content;
61
62 /**
63 * Document template object
64 *
65 * @var DocumentTemplate
66 */
67 public $doc;
68
69 /**
70 * "id" -> the path to list.
71 *
72 * @var string
73 */
74 public $id;
75
76 /**
77 * @var \TYPO3\CMS\Core\Resource\Folder
78 */
79 protected $folderObject;
80
81 /**
82 * @var FlashMessage
83 */
84 protected $errorMessage;
85
86 /**
87 * Pointer to listing
88 *
89 * @var int
90 */
91 public $pointer;
92
93 /**
94 * "Table"
95 *
96 * @var string
97 */
98 public $table;
99
100 /**
101 * Thumbnail mode.
102 *
103 * @var string
104 */
105 public $imagemode;
106
107 /**
108 * @var string
109 */
110 public $cmd;
111
112 /**
113 * @var bool
114 */
115 public $overwriteExistingFiles;
116
117 /**
118 * The file list object
119 *
120 * @var FileList
121 */
122 public $filelist = NULL;
123
124 /**
125 * The name of the module
126 *
127 * @var string
128 */
129 protected $moduleName = 'file_list';
130
131 /**
132 * Constructor
133 */
134 public function __construct() {
135 $this->getLanguageService()->includeLLFile('EXT:lang/locallang_mod_file_list.xlf');
136 $this->getLanguageService()->includeLLFile('EXT:lang/locallang_misc.xlf');
137 }
138
139 /**
140 * Initialize variables, file object
141 * Incoming GET vars include id, pointer, table, imagemode
142 *
143 * @return void
144 * @throws \RuntimeException
145 * @throws Exception\InsufficientFolderAccessPermissionsException
146 */
147 public function init() {
148 // Setting GPvars:
149 $this->id = ($combinedIdentifier = GeneralUtility::_GP('id'));
150 $this->pointer = GeneralUtility::_GP('pointer');
151 $this->table = GeneralUtility::_GP('table');
152 $this->imagemode = GeneralUtility::_GP('imagemode');
153 $this->cmd = GeneralUtility::_GP('cmd');
154 $this->overwriteExistingFiles = GeneralUtility::_GP('overwriteExistingFiles');
155
156 try {
157 if ($combinedIdentifier) {
158 /** @var $fileFactory ResourceFactory */
159 $fileFactory = GeneralUtility::makeInstance(ResourceFactory::class);
160 $storage = $fileFactory->getStorageObjectFromCombinedIdentifier($combinedIdentifier);
161 $identifier = substr($combinedIdentifier, strpos($combinedIdentifier, ':') + 1);
162 if (!$storage->hasFolder($identifier)) {
163 $identifier = $storage->getFolderIdentifierFromFileIdentifier($identifier);
164 }
165
166 $this->folderObject = $fileFactory->getFolderObjectFromCombinedIdentifier($storage->getUid() . ':' . $identifier);
167 // Disallow access to fallback storage 0
168 if ($storage->getUid() === 0) {
169 throw new Exception\InsufficientFolderAccessPermissionsException('You are not allowed to access files outside your storages', 1434539815);
170 }
171 // Disallow the rendering of the processing folder (e.g. could be called manually)
172 if ($this->folderObject && $storage->isProcessingFolder($this->folderObject)) {
173 $this->folderObject = $storage->getRootLevelFolder();
174 }
175 } else {
176 // Take the first object of the first storage
177 $fileStorages = $this->getBackendUser()->getFileStorages();
178 $fileStorage = reset($fileStorages);
179 if ($fileStorage) {
180 $this->folderObject = $fileStorage->getRootLevelFolder();
181 } else {
182 throw new \RuntimeException('Could not find any folder to be displayed.', 1349276894);
183 }
184 }
185
186 if ($this->folderObject && !$this->folderObject->getStorage()->isWithinFileMountBoundaries($this->folderObject)) {
187 throw new \RuntimeException('Folder not accessible.', 1430409089);
188 }
189 } catch (Exception\InsufficientFolderAccessPermissionsException $permissionException) {
190 $this->folderObject = NULL;
191 $this->errorMessage = GeneralUtility::makeInstance(FlashMessage::class,
192 sprintf(
193 $this->getLanguageService()->getLL('missingFolderPermissionsMessage', TRUE),
194 htmlspecialchars($this->id)
195 ),
196 $this->getLanguageService()->getLL('missingFolderPermissionsTitle', TRUE),
197 FlashMessage::NOTICE
198 );
199 } catch (Exception $fileException) {
200 // Set folder object to null and throw a message later on
201 $this->folderObject = NULL;
202 // Take the first object of the first storage
203 $fileStorages = $this->getBackendUser()->getFileStorages();
204 $fileStorage = reset($fileStorages);
205 if ($fileStorage instanceof \TYPO3\CMS\Core\Resource\ResourceStorage) {
206 $this->folderObject = $fileStorage->getRootLevelFolder();
207 if (!$fileStorage->isWithinFileMountBoundaries($this->folderObject)) {
208 $this->folderObject = NULL;
209 }
210 }
211 $this->errorMessage = GeneralUtility::makeInstance(FlashMessage::class,
212 sprintf(
213 $this->getLanguageService()->getLL('folderNotFoundMessage', TRUE),
214 htmlspecialchars($this->id)
215 ),
216 $this->getLanguageService()->getLL('folderNotFoundTitle', TRUE),
217 FlashMessage::NOTICE
218 );
219 } catch (\RuntimeException $e) {
220 $this->folderObject = NULL;
221 $this->errorMessage = GeneralUtility::makeInstance(FlashMessage::class,
222 $e->getMessage() . ' (' . $e->getCode() . ')',
223 $this->getLanguageService()->getLL('folderNotFoundTitle', TRUE),
224 FlashMessage::NOTICE
225 );
226 }
227
228 if ($this->folderObject && !$this->folderObject->getStorage()->checkFolderActionPermission('read', $this->folderObject)) {
229 $this->folderObject = NULL;
230 }
231
232 // Configure the "menu" - which is used internally to save the values of sorting, displayThumbs etc.
233 $this->menuConfig();
234 }
235
236 /**
237 * Setting the menu/session variables
238 *
239 * @return void
240 */
241 public function menuConfig() {
242 // MENU-ITEMS:
243 // If array, then it's a selector box menu
244 // If empty string it's just a variable, that will be saved.
245 // Values NOT in this array will not be saved in the settings-array for the module.
246 $this->MOD_MENU = array(
247 'sort' => '',
248 'reverse' => '',
249 'displayThumbs' => '',
250 'clipBoard' => '',
251 'bigControlPanel' => ''
252 );
253 // CLEANSE SETTINGS
254 $this->MOD_SETTINGS = BackendUtility::getModuleData(
255 $this->MOD_MENU,
256 GeneralUtility::_GP('SET'),
257 $this->moduleName
258 );
259 }
260
261 /**
262 * Main function, creating the listing
263 *
264 * @return void
265 */
266 public function main() {
267 // Initialize the template object
268 $this->doc = GeneralUtility::makeInstance(DocumentTemplate::class);
269 $this->doc->backPath = $GLOBALS['BACK_PATH'];
270 $this->doc->setModuleTemplate('EXT:filelist/Resources/Private/Templates/file_list.html');
271
272 /** @var $pageRenderer \TYPO3\CMS\Core\Page\PageRenderer */
273 $pageRenderer = $this->doc->getPageRenderer();
274 $pageRenderer->loadJQuery();
275 $pageRenderer->loadRequireJsModule('TYPO3/CMS/Filelist/FileListLocalisation');
276
277 // There there was access to this file path, continue, make the list
278 if ($this->folderObject) {
279
280 // Create filelisting object
281 $this->filelist = GeneralUtility::makeInstance(FileList::class);
282 $this->filelist->backPath = $GLOBALS['BACK_PATH'];
283 // Apply predefined values for hidden checkboxes
284 // Set predefined value for DisplayBigControlPanel:
285 $backendUser = $this->getBackendUser();
286 if ($backendUser->getTSConfigVal('options.file_list.enableDisplayBigControlPanel') === 'activated') {
287 $this->MOD_SETTINGS['bigControlPanel'] = TRUE;
288 } elseif ($backendUser->getTSConfigVal('options.file_list.enableDisplayBigControlPanel') === 'deactivated') {
289 $this->MOD_SETTINGS['bigControlPanel'] = FALSE;
290 }
291 // Set predefined value for DisplayThumbnails:
292 if ($backendUser->getTSConfigVal('options.file_list.enableDisplayThumbnails') === 'activated') {
293 $this->MOD_SETTINGS['displayThumbs'] = TRUE;
294 } elseif ($backendUser->getTSConfigVal('options.file_list.enableDisplayThumbnails') === 'deactivated') {
295 $this->MOD_SETTINGS['displayThumbs'] = FALSE;
296 }
297 // Set predefined value for Clipboard:
298 if ($backendUser->getTSConfigVal('options.file_list.enableClipBoard') === 'activated') {
299 $this->MOD_SETTINGS['clipBoard'] = TRUE;
300 } elseif ($backendUser->getTSConfigVal('options.file_list.enableClipBoard') === 'deactivated') {
301 $this->MOD_SETTINGS['clipBoard'] = FALSE;
302 }
303 // If user never opened the list module, set the value for displayThumbs
304 if (!isset($this->MOD_SETTINGS['displayThumbs'])) {
305 $this->MOD_SETTINGS['displayThumbs'] = $backendUser->uc['thumbnailsByDefault'];
306 }
307 $this->filelist->thumbs = $this->MOD_SETTINGS['displayThumbs'];
308 // Create clipboard object and initialize that
309 $this->filelist->clipObj = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Clipboard\Clipboard::class);
310 $this->filelist->clipObj->fileMode = 1;
311 $this->filelist->clipObj->initializeClipboard();
312 $CB = GeneralUtility::_GET('CB');
313 if ($this->cmd == 'setCB') {
314 $CB['el'] = $this->filelist->clipObj->cleanUpCBC(array_merge(GeneralUtility::_POST('CBH'), (array)GeneralUtility::_POST('CBC')), '_FILE');
315 }
316 if (!$this->MOD_SETTINGS['clipBoard']) {
317 $CB['setP'] = 'normal';
318 }
319 $this->filelist->clipObj->setCmd($CB);
320 $this->filelist->clipObj->cleanCurrent();
321 // Saves
322 $this->filelist->clipObj->endClipboard();
323 // If the "cmd" was to delete files from the list (clipboard thing), do that:
324 if ($this->cmd == 'delete') {
325 $items = $this->filelist->clipObj->cleanUpCBC(GeneralUtility::_POST('CBC'), '_FILE', 1);
326 if (!empty($items)) {
327 // Make command array:
328 $FILE = array();
329 foreach ($items as $v) {
330 $FILE['delete'][] = array('data' => $v);
331 }
332 // Init file processing object for deleting and pass the cmd array.
333 $fileProcessor = GeneralUtility::makeInstance(ExtendedFileUtility::class);
334 $fileProcessor->init(array(), $GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']);
335 $fileProcessor->setActionPermissions();
336 $fileProcessor->dontCheckForUnique = $this->overwriteExistingFiles ? 1 : 0;
337 $fileProcessor->start($FILE);
338 $fileProcessor->processData();
339 $fileProcessor->pushErrorMessagesToFlashMessageQueue();
340 }
341 }
342 if (!isset($this->MOD_SETTINGS['sort'])) {
343 // Set default sorting
344 $this->MOD_SETTINGS['sort'] = 'file';
345 $this->MOD_SETTINGS['reverse'] = 0;
346 }
347 // Start up filelisting object, include settings.
348 $this->pointer = MathUtility::forceIntegerInRange($this->pointer, 0, 100000);
349 $this->filelist->start($this->folderObject, $this->pointer, $this->MOD_SETTINGS['sort'], $this->MOD_SETTINGS['reverse'], $this->MOD_SETTINGS['clipBoard'], $this->MOD_SETTINGS['bigControlPanel']);
350 // Generate the list
351 $this->filelist->generateList();
352 // Set top JavaScript:
353 $this->doc->JScode = $this->doc->wrapScriptTags('if (top.fsMod) top.fsMod.recentIds["file"] = "' . rawurlencode($this->id) . '";' . $this->filelist->CBfunctions());
354 // This will return content necessary for the context sensitive clickmenus to work: bodytag events, JavaScript functions and DIV-layers.
355 $this->doc->getContextMenuCode();
356 // Setting up the buttons and markers for docheader
357 list($buttons, $otherMarkers) = $this->filelist->getButtonsAndOtherMarkers($this->folderObject);
358 // add the folder info to the marker array
359 $otherMarkers['FOLDER_INFO'] = $this->filelist->getFolderInfo();
360 $docHeaderButtons = array_merge($this->getButtons(), $buttons);
361
362 // Include DragUploader only if we have write access
363 if ($this->folderObject->getStorage()->checkUserActionPermission('add', 'File')
364 && $this->folderObject->checkActionPermission('write')
365 ) {
366 $pageRenderer->loadRequireJsModule('TYPO3/CMS/Backend/DragUploader');
367 $pageRenderer->addInlineLanguagelabelFile(
368 ExtensionManagementUtility::extPath('lang') . 'locallang_core.xlf',
369 'file_upload'
370 );
371 }
372
373 // Build the <body> for the module
374 $moduleHeadline = $this->getModuleHeadline();
375 // Create output
376 $pageContent = $moduleHeadline !== '' ? '<h1>' . $moduleHeadline . '</h1>' : '';
377
378 $pageContent .= '<form action="' . htmlspecialchars($this->filelist->listURL()) . '" method="post" name="dblistForm">';
379 $pageContent .= $this->filelist->HTMLcode;
380 $pageContent .= '<input type="hidden" name="cmd" /></form>';
381
382 // Making listing options:
383 if ($this->filelist->HTMLcode) {
384 $pageContent .= '
385
386 <!--
387 Listing options for extended view, clipboard and thumbnails
388 -->
389 <div id="typo3-listOptions">
390 ';
391 // Add "display bigControlPanel" checkbox:
392 if ($backendUser->getTSConfigVal('options.file_list.enableDisplayBigControlPanel') === 'selectable') {
393 $pageContent .= '<div class="checkbox">' .
394 '<label for="bigControlPanel">' .
395 BackendUtility::getFuncCheck($this->id, 'SET[bigControlPanel]', $this->MOD_SETTINGS['bigControlPanel'], '', '', 'id="bigControlPanel"') .
396 $this->getLanguageService()->getLL('bigControlPanel', TRUE) .
397 '</label>' .
398 '</div>';
399 }
400 // Add "display thumbnails" checkbox:
401 if ($backendUser->getTSConfigVal('options.file_list.enableDisplayThumbnails') === 'selectable') {
402 $pageContent .= '<div class="checkbox">' .
403 '<label for="checkDisplayThumbs">' .
404 BackendUtility::getFuncCheck($this->id, 'SET[displayThumbs]', $this->MOD_SETTINGS['displayThumbs'], '', '', 'id="checkDisplayThumbs"') .
405 $this->getLanguageService()->getLL('displayThumbs', TRUE) .
406 '</label>' .
407 '</div>';
408 }
409 // Add "clipboard" checkbox:
410 if ($backendUser->getTSConfigVal('options.file_list.enableClipBoard') === 'selectable') {
411 $pageContent .= '<div class="checkbox">' .
412 '<label for="checkClipBoard">' .
413 BackendUtility::getFuncCheck($this->id, 'SET[clipBoard]', $this->MOD_SETTINGS['clipBoard'], '', '', 'id="checkClipBoard"') .
414 $this->getLanguageService()->getLL('clipBoard', TRUE) .
415 '</label>' .
416 '</div>';
417 }
418 $pageContent .= '
419 </div>
420 ';
421 // Set clipboard:
422 if ($this->MOD_SETTINGS['clipBoard']) {
423 $pageContent .= $this->filelist->clipObj->printClipboard();
424 $pageContent .= BackendUtility::cshItem('xMOD_csh_corebe', 'filelist_clipboard');
425 }
426 }
427 $markerArray = array(
428 'CSH' => $docHeaderButtons['csh'],
429 'FUNC_MENU' => BackendUtility::getFuncMenu($this->id, 'SET[function]', $this->MOD_SETTINGS['function'], $this->MOD_MENU['function']),
430 'CONTENT' => ($this->errorMessage ? $this->errorMessage->render() : '') . $pageContent,
431 'FOLDER_IDENTIFIER' => $this->folderObject->getCombinedIdentifier(),
432 'FILEDENYPATERN' => $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],
433 'MAXFILESIZE' => GeneralUtility::getMaxUploadFileSize() * 1024,
434 );
435 $this->content = $this->doc->moduleBody(array(), $docHeaderButtons, array_merge($markerArray, $otherMarkers));
436 // Renders the module page
437 $this->content = $this->doc->render($this->getLanguageService()->getLL('files'), $this->content);
438 } else {
439 $content = '';
440 if ($this->errorMessage) {
441 $this->errorMessage->setSeverity(FlashMessage::ERROR);
442 $content = $this->doc->moduleBody(array(), array_merge(array('REFRESH' => '', 'PASTE' => '', 'LEVEL_UP' => ''), $this->getButtons()), array('CSH' => '', 'TITLE' => '', 'FOLDER_INFO' => '', 'PAGE_ICON' => '', 'FUNC_MENU' => '', 'CONTENT' => $this->errorMessage->render()));
443 }
444 // Create output - no access (no warning though)
445 $this->content = $this->doc->render($this->getLanguageService()->getLL('files'), $content);
446 }
447 }
448
449 /**
450 * Get main headline based on active folder or storage for backend module
451 *
452 * Folder names are resolved to their special names like done in the tree view.
453 *
454 * @return string
455 */
456 protected function getModuleHeadline() {
457 $name = $this->folderObject->getName();
458 if ($name === '') {
459 // Show storage name on storage root
460 if ($this->folderObject->getIdentifier() === '/') {
461 $name = $this->folderObject->getStorage()->getName();
462 }
463 } else {
464 $name = key(ListUtility::resolveSpecialFolderNames(
465 array($name => $this->folderObject)
466 ));
467 }
468 return $name;
469 }
470
471 /**
472 * Outputting the accumulated content to screen
473 *
474 * @return void
475 */
476 public function printContent() {
477 echo $this->content;
478 }
479
480 /**
481 * Create the panel of buttons for submitting the form or otherwise perform operations.
482 *
483 * @return array All available buttons as an assoc. array
484 */
485 public function getButtons() {
486 $buttons = array(
487 'csh' => '',
488 'shortcut' => '',
489 'upload' => '',
490 'new' => ''
491 );
492 // Add shortcut
493 if ($this->getBackendUser()->mayMakeShortcut()) {
494 $buttons['shortcut'] = $this->doc->makeShortcutIcon('pointer,id,target,table', implode(',', array_keys($this->MOD_MENU)), $this->moduleName);
495 }
496 // FileList Module CSH:
497 $buttons['csh'] = BackendUtility::cshItem('xMOD_csh_corebe', 'filelist_module');
498 // Upload button (only if upload to this directory is allowed)
499 if ($this->folderObject && $this->folderObject->getStorage()->checkUserActionPermission('add', 'File') && $this->folderObject->checkActionPermission('write')) {
500 $buttons['upload'] = '<a href="' . htmlspecialchars($GLOBALS['BACK_PATH']
501 . BackendUtility::getModuleUrl(
502 'file_upload',
503 array(
504 'target' => $this->folderObject->getCombinedIdentifier(),
505 'returnUrl' => $this->filelist->listURL(),
506 )
507 )) . '" id="button-upload" title="' . $this->getLanguageService()->makeEntities($this->getLanguageService()->sL('LLL:EXT:lang/locallang_core.xlf:cm.upload', TRUE)) . '">' . IconUtility::getSpriteIcon('actions-edit-upload') . '</a>';
508 }
509 // New folder button
510 if ($this->folderObject && $this->folderObject->checkActionPermission('write')
511 && ($this->folderObject->getStorage()->checkUserActionPermission('add', 'File') || $this->folderObject->checkActionPermission('add'))
512 ) {
513 $buttons['new'] = '<a href="' . htmlspecialchars($GLOBALS['BACK_PATH']
514 . BackendUtility::getModuleUrl(
515 'file_newfolder',
516 array(
517 'target' => $this->folderObject->getCombinedIdentifier(),
518 'returnUrl' => $this->filelist->listURL(),
519 )
520 )) . '" title="' . $this->getLanguageService()->makeEntities($this->getLanguageService()->sL('LLL:EXT:lang/locallang_core.xlf:cm.new', TRUE)) . '">' . IconUtility::getSpriteIcon('actions-document-new') . '</a>';
521 }
522 return $buttons;
523 }
524
525 /**
526 * Returns an instance of LanguageService
527 *
528 * @return \TYPO3\CMS\Lang\LanguageService
529 */
530 protected function getLanguageService() {
531 return $GLOBALS['LANG'];
532 }
533
534 /**
535 * Returns the current BE user.
536 *
537 * @return \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
538 */
539 protected function getBackendUser() {
540 return $GLOBALS['BE_USER'];
541 }
542
543 }