[TASK] Decouple TemplateService->getFileName
[Packages/TYPO3.CMS.git] / typo3 / sysext / frontend / Classes / Resource / FilePathSanitizer.php
1 <?php
2 declare(strict_types = 1);
3 namespace TYPO3\CMS\Frontend\Resource;
4
5 /*
6 * This file is part of the TYPO3 CMS project.
7 *
8 * It is free software; you can redistribute it and/or modify it under
9 * the terms of the GNU General Public License, either version 2
10 * of the License, or any later version.
11 *
12 * For the full copyright and license information, please read the
13 * LICENSE.txt file that was distributed with this source code.
14 *
15 * The TYPO3 project - inspiring people to share!
16 */
17
18 use TYPO3\CMS\Core\Core\Environment;
19 use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
20 use TYPO3\CMS\Core\Resource\Exception\InvalidFileException;
21 use TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException;
22 use TYPO3\CMS\Core\Resource\Exception\InvalidPathException;
23 use TYPO3\CMS\Core\Utility\GeneralUtility;
24 use TYPO3\CMS\Core\Utility\PathUtility;
25
26 /**
27 * Checks if a given file path is allowed to be used in TYPO3 Frontend.
28 *
29 * Currently allowed is:
30 * - a file (which must exist) from any of the allowedPaths option, without any ".." inside the path name
31 * - an external URL
32 *
33 * The sanitize method either returns a full URL (in case it's a valid http/https resource)
34 * or a path relative to the public folder of the TYPO3 Frontend.
35 */
36 class FilePathSanitizer
37 {
38 /**
39 * These are the only paths that are allowed for resources in TYPO3 Frontend.
40 * Additional paths can be added via $GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], where all paths should
41 * be suffixed with a slash "/".
42 *
43 * @var array
44 */
45 protected $allowedPaths = [];
46
47 /**
48 * Sets the paths from where TypoScript resources are allowed to be used:
49 */
50 public function __construct()
51 {
52 $this->allowedPaths = [
53 $GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'],
54 'uploads/',
55 'typo3temp/',
56 TYPO3_mainDir . 'ext/',
57 TYPO3_mainDir . 'sysext/',
58 'typo3conf/ext/'
59 ];
60 if (!empty($GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'])) {
61 $paths = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], true);
62 foreach ($paths as $path) {
63 if (is_string($path)) {
64 $this->allowedPaths[] = $path;
65 }
66 }
67 }
68 }
69
70 /**
71 * Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.
72 *
73 * @param string $originalFileName
74 * @return string Resulting filename, is either a full absolute URL or a relative path.
75 */
76 public function sanitize(string $originalFileName): string
77 {
78 $file = trim($originalFileName);
79 if (empty($file)) {
80 throw new InvalidFileNameException('Empty file name given', 1530169746);
81 }
82 if (strpos($file, '../') !== false) {
83 throw new InvalidPathException('File path "' . $file . '" contains illegal string "../"', 1530169814);
84 }
85 // if this is an URL, it can be returned directly
86 $urlScheme = parse_url($file, PHP_URL_SCHEME);
87 if ($urlScheme === 'https' || $urlScheme === 'http' || is_file(Environment::getPublicPath() . '/' . $file)) {
88 return $file;
89 }
90
91 // this call also resolves EXT:myext/ files
92 $file = GeneralUtility::getFileAbsFileName($file);
93 if (!$file || is_dir($file)) {
94 throw new FileDoesNotExistException('File "' . $originalFileName . '" was not found', 1530169845);
95 }
96
97 $file = PathUtility::stripPathSitePrefix($file);
98
99 // Check if the found file is in the allowed paths
100 foreach ($this->allowedPaths as $allowedPath) {
101 if (strpos((string)$file, (string)$allowedPath, 0) === 0) {
102 return $file;
103 }
104 }
105 throw new InvalidFileException('"' . $file . '" was not located in the allowed paths', 1530169955);
106 }
107 }