[SECURITY] Filter disallowed properties in form editor
[Packages/TYPO3.CMS.git] / typo3 / sysext / form / Classes / Domain / Configuration / FormDefinition / Converters / AddHmacDataToFormElementPropertyConverter.php
1 <?php
2 declare(strict_types = 1);
3 namespace TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Converters;
4
5 /*
6 * This file is part of the TYPO3 CMS project.
7 *
8 * It is free software; you can redistribute it and/or modify it under
9 * the terms of the GNU General Public License, either version 2
10 * of the License, or any later version.
11 *
12 * For the full copyright and license information, please read the
13 * LICENSE.txt file that was distributed with this source code.
14 *
15 * The TYPO3 project - inspiring people to share!
16 */
17
18 use TYPO3\CMS\Core\Utility\ArrayUtility;
19 use TYPO3\CMS\Core\Utility\GeneralUtility;
20
21 /**
22 * @internal
23 */
24 class AddHmacDataToFormElementPropertyConverter extends AbstractConverter
25 {
26
27 /**
28 * @param string $key
29 * @param mixed $value
30 */
31 public function __invoke(string $key, $value): void
32 {
33 $formDefinition = $this->converterDto->getFormDefinition();
34
35 $propertyPathParts = explode('.', $key);
36 $lastKeySegment = array_pop($propertyPathParts);
37 $propertyPathParts[] = '_orig_' . $lastKeySegment;
38
39 $hmacValuePath = implode('.', array_merge($this->converterDto->getRenderablePathParts(), $propertyPathParts));
40 $hmacValue = [
41 'value' => $value,
42 'hmac' => GeneralUtility::hmac(serialize([$this->converterDto->getFormElementIdentifier(), $key, $value]), $this->sessionToken)
43 ];
44
45 $formDefinition = ArrayUtility::setValueByPath($formDefinition, $hmacValuePath, $hmacValue, '.');
46
47 $this->converterDto->setFormDefinition($formDefinition);
48 }
49 }