[TASK] Use hash_equals for timing-safe comparison of hash-values
[Packages/TYPO3.CMS.git] / typo3 / sysext / backend / Classes / Form / Wizard / ImageManipulationWizard.php
1 <?php
2 declare(strict_types=1);
3 namespace TYPO3\CMS\Backend\Form\Wizard;
4
5 /*
6 * This file is part of the TYPO3 CMS project.
7 *
8 * It is free software; you can redistribute it and/or modify it under
9 * the terms of the GNU General Public License, either version 2
10 * of the License, or any later version.
11 *
12 * For the full copyright and license information, please read the
13 * LICENSE.txt file that was distributed with this source code.
14 *
15 * The TYPO3 project - inspiring people to share!
16 */
17
18 use Psr\Http\Message\ResponseInterface;
19 use Psr\Http\Message\ServerRequestInterface;
20 use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
21 use TYPO3\CMS\Core\Resource\ResourceFactory;
22 use TYPO3\CMS\Core\Utility\GeneralUtility;
23 use TYPO3\CMS\Core\Utility\MathUtility;
24 use TYPO3\CMS\Fluid\View\StandaloneView;
25
26 /**
27 * Wizard for rendering image manipulation view
28 */
29 class ImageManipulationWizard
30 {
31 /**
32 * @var StandaloneView
33 */
34 private $templateView;
35
36 /**
37 * @param StandaloneView $templateView
38 */
39 public function __construct(StandaloneView $templateView = null)
40 {
41 if (!$templateView) {
42 $templateView = GeneralUtility::makeInstance(StandaloneView::class);
43 $templateView->setLayoutRootPaths([GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Layouts/')]);
44 $templateView->setPartialRootPaths([GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Partials/ImageManipulation/')]);
45 $templateView->setTemplatePathAndFilename(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/ImageManipulation/ImageManipulationWizard.html'));
46 }
47 $this->templateView = $templateView;
48 }
49
50 /**
51 * Returns the HTML for the wizard inside the modal
52 *
53 * @param ServerRequestInterface $request
54 * @param ResponseInterface $response
55 * @return ResponseInterface $response
56 */
57 public function getWizardAction(ServerRequestInterface $request, ResponseInterface $response)
58 {
59 if ($this->isSignatureValid($request)) {
60 $queryParams = json_decode($request->getQueryParams()['arguments'], true);
61 $fileUid = $queryParams['image'];
62 $image = null;
63 if (MathUtility::canBeInterpretedAsInteger($fileUid)) {
64 try {
65 $image = ResourceFactory::getInstance()->getFileObject($fileUid);
66 } catch (FileDoesNotExistException $e) {
67 }
68 }
69 $viewData = [
70 'image' => $image,
71 'cropVariants' => $queryParams['cropVariants']
72 ];
73 $content = $this->templateView->renderSection('Main', $viewData);
74 $response->getBody()->write($content);
75
76 return $response;
77 }
78 return $response->withStatus(403);
79 }
80
81 /**
82 * Check if hmac signature is correct
83 *
84 * @param ServerRequestInterface $request the request with the GET parameters
85 * @return bool
86 */
87 protected function isSignatureValid(ServerRequestInterface $request)
88 {
89 $token = GeneralUtility::hmac($request->getQueryParams()['arguments'], 'ajax_wizard_image_manipulation');
90 return hash_equals($token, $request->getQueryParams()['signature']);
91 }
92 }