f90c7b6a5df7df9bf45a925d07e25bbafc32079c
[Packages/TYPO3.CMS.git] / typo3 / sysext / frontend / Classes / Controller / DataSubmissionController.php
1 <?php
2 namespace TYPO3\CMS\Frontend\Controller;
3
4 /**
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Utility;
18
19 /**
20 * Formmail class
21 *
22 * @author Kasper Skårhøj <kasperYYYY@typo3.com>
23 */
24 class DataSubmissionController {
25
26 protected $reserved_names = 'recipient,recipient_copy,auto_respond_msg,auto_respond_checksum,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
27
28 // Collection of suspicious header data, used for logging
29 protected $dirtyHeaders = array();
30
31 protected $characterSet;
32
33 protected $subject;
34
35 protected $fromName;
36
37 protected $replyToName;
38
39 protected $organisation;
40
41 protected $fromAddress;
42
43 protected $replyToAddress;
44
45 protected $priority;
46
47 protected $autoRespondMessage;
48
49 protected $encoding = 'quoted-printable';
50
51 /**
52 * @var \TYPO3\CMS\Core\Mail\MailMessage
53 */
54 protected $mailMessage;
55
56 protected $recipient;
57
58 protected $plainContent = '';
59
60 /**
61 * @var array Files to clean up at the end (attachments)
62 */
63 protected $temporaryFiles = array();
64
65 /**
66 * Start function
67 * This class is able to generate a mail in formmail-style from the data in $V
68 * Fields:
69 *
70 * [recipient]: email-adress of the one to receive the mail. If array, then all values are expected to be recipients
71 * [attachment]: ....
72 *
73 * [subject]: The subject of the mail
74 * [from_email]: Sender email. If not set, [email] is used
75 * [from_name]: Sender name. If not set, [name] is used
76 * [replyto_email]: Reply-to email. If not set [from_email] is used
77 * [replyto_name]: Reply-to name. If not set [from_name] is used
78 * [organisation]: Organization (header)
79 * [priority]: Priority, 1-5, default 3
80 * [html_enabled]: If mail is sent as html
81 * [use_base64]: If set, base64 encoding will be used instead of quoted-printable
82 *
83 * @param array $valueList Contains values for the field names listed above (with slashes removed if from POST input)
84 * @param boolean $base64 Whether to base64 encode the mail content
85 * @return void
86 * @todo Define visibility
87 */
88 public function start($valueList, $base64 = FALSE) {
89 $this->mailMessage = Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Mail\\MailMessage');
90 if ($GLOBALS['TSFE']->config['config']['formMailCharset']) {
91 // Respect formMailCharset if it was set
92 $this->characterSet = $GLOBALS['TSFE']->csConvObj->parse_charset($GLOBALS['TSFE']->config['config']['formMailCharset']);
93 } elseif ($GLOBALS['TSFE']->metaCharset != $GLOBALS['TSFE']->renderCharset) {
94 // Use metaCharset for mail if different from renderCharset
95 $this->characterSet = $GLOBALS['TSFE']->metaCharset;
96 } else {
97 // Otherwise use renderCharset as default
98 $this->characterSet = $GLOBALS['TSFE']->renderCharset;
99 }
100 if ($base64 || $valueList['use_base64']) {
101 $this->encoding = 'base64';
102 }
103 if (isset($valueList['recipient'])) {
104 // Convert form data from renderCharset to mail charset
105 $this->subject = $valueList['subject'] ? $valueList['subject'] : 'Formmail on ' . Utility\GeneralUtility::getIndpEnv('HTTP_HOST');
106 $this->subject = $this->sanitizeHeaderString($this->subject);
107 $this->fromName = $valueList['from_name'] ? $valueList['from_name'] : ($valueList['name'] ? $valueList['name'] : '');
108 $this->fromName = $this->sanitizeHeaderString($this->fromName);
109 $this->replyToName = $valueList['replyto_name'] ? $valueList['replyto_name'] : $this->fromName;
110 $this->replyToName = $this->sanitizeHeaderString($this->replyToName);
111 $this->organisation = $valueList['organisation'] ? $valueList['organisation'] : '';
112 $this->organisation = $this->sanitizeHeaderString($this->organisation);
113 $this->fromAddress = $valueList['from_email'] ? $valueList['from_email'] : ($valueList['email'] ? $valueList['email'] : '');
114 if (!Utility\GeneralUtility::validEmail($this->fromAddress)) {
115 $this->fromAddress = Utility\MailUtility::getSystemFromAddress();
116 $this->fromName = Utility\MailUtility::getSystemFromName();
117 }
118 $this->replyToAddress = $valueList['replyto_email'] ? $valueList['replyto_email'] : $this->fromAddress;
119 $this->priority = $valueList['priority'] ? Utility\MathUtility::forceIntegerInRange($valueList['priority'], 1, 5) : 3;
120 // Auto responder
121 $this->autoRespondMessage = trim($valueList['auto_respond_msg']) && $this->fromAddress ? trim($valueList['auto_respond_msg']) : '';
122 if ($this->autoRespondMessage !== '') {
123 // Check if the value of the auto responder message has been modified with evil intentions
124 $autoRespondChecksum = $valueList['auto_respond_checksum'];
125 $correctHmacChecksum = Utility\GeneralUtility::hmac($this->autoRespondMessage, 'content_form');
126 if ($autoRespondChecksum !== $correctHmacChecksum) {
127 Utility\GeneralUtility::sysLog('Possible misuse of DataSubmissionController auto respond method. Subject: ' . $valueList['subject'], 'Core', Utility\GeneralUtility::SYSLOG_SEVERITY_ERROR);
128 return;
129 } else {
130 $this->autoRespondMessage = $this->sanitizeHeaderString($this->autoRespondMessage);
131 }
132 }
133 $plainTextContent = '';
134 $htmlContent = '<table border="0" cellpadding="2" cellspacing="2">';
135 // Runs through $V and generates the mail
136 if (is_array($valueList)) {
137 foreach ($valueList as $key => $val) {
138 if (!Utility\GeneralUtility::inList($this->reserved_names, $key)) {
139 $space = strlen($val) > 60 ? LF : '';
140 $val = is_array($val) ? implode($val, LF) : $val;
141 // Convert form data from renderCharset to mail charset (HTML may use entities)
142 $plainTextValue = $val;
143 $HtmlValue = htmlspecialchars($val);
144 $plainTextContent .= strtoupper($key) . ': ' . $space . $plainTextValue . LF . $space;
145 $htmlContent .= '<tr><td bgcolor="#eeeeee"><font face="Verdana" size="1"><strong>' . strtoupper($key) . '</strong></font></td><td bgcolor="#eeeeee"><font face="Verdana" size="1">' . nl2br($HtmlValue) . '&nbsp;</font></td></tr>';
146 }
147 }
148 }
149 $htmlContent .= '</table>';
150 $this->plainContent = $plainTextContent;
151 if ($valueList['html_enabled']) {
152 $this->mailMessage->setBody($htmlContent, 'text/html', $this->characterSet);
153 $this->mailMessage->addPart($plainTextContent, 'text/plain', $this->characterSet);
154 } else {
155 $this->mailMessage->setBody($plainTextContent, 'text/plain', $this->characterSet);
156 }
157 for ($a = 0; $a < 10; $a++) {
158 $variableName = 'attachment' . ($a ?: '');
159 if (!isset($_FILES[$variableName])) {
160 continue;
161 }
162 if (!is_uploaded_file($_FILES[$variableName]['tmp_name'])) {
163 Utility\GeneralUtility::sysLog('Possible abuse of DataSubmissionController: temporary file "' . $_FILES[$variableName]['tmp_name'] . '" ("' . $_FILES[$variableName]['name'] . '") was not an uploaded file.', 'Core', Utility\GeneralUtility::SYSLOG_SEVERITY_ERROR);
164 }
165 if ($_FILES[$variableName]['tmp_name']['error'] !== UPLOAD_ERR_OK) {
166 Utility\GeneralUtility::sysLog('Error in uploaded file in DataSubmissionController: temporary file "' . $_FILES[$variableName]['tmp_name'] . '" ("' . $_FILES[$variableName]['name'] . '") Error code: ' . $_FILES[$variableName]['tmp_name']['error'], 'Core', Utility\GeneralUtility::SYSLOG_SEVERITY_ERROR);
167 }
168 $theFile = Utility\GeneralUtility::upload_to_tempfile($_FILES[$variableName]['tmp_name']);
169 $theName = $_FILES[$variableName]['name'];
170 if ($theFile && file_exists($theFile)) {
171 if (filesize($theFile) < $GLOBALS['TYPO3_CONF_VARS']['FE']['formmailMaxAttachmentSize']) {
172 $this->mailMessage->attach(\Swift_Attachment::fromPath($theFile)->setFilename($theName));
173 }
174 }
175 $this->temporaryFiles[] = $theFile;
176 }
177 $from = $this->fromName ? array($this->fromAddress => $this->fromName) : array($this->fromAddress);
178 $this->recipient = $this->parseAddresses($valueList['recipient']);
179 $this->mailMessage->setSubject($this->subject)->setFrom($from)->setTo($this->recipient)->setPriority($this->priority);
180 $replyTo = $this->replyToName ? array($this->replyToAddress => $this->replyToName) : array($this->replyToAddress);
181 $this->mailMessage->setReplyTo($replyTo);
182 $this->mailMessage->getHeaders()->addTextHeader('Organization', $this->organisation);
183 if ($valueList['recipient_copy']) {
184 $this->mailMessage->setCc($this->parseAddresses($valueList['recipient_copy']));
185 }
186 $this->mailMessage->setCharset($this->characterSet);
187 // Ignore target encoding. This is handled automatically by Swift Mailer and overriding the defaults
188 // is not worth the trouble
189 // Log dirty header lines
190 if ($this->dirtyHeaders) {
191 Utility\GeneralUtility::sysLog('Possible misuse of DataSubmissionController: see TYPO3 devLog', 'Core', Utility\GeneralUtility::SYSLOG_SEVERITY_ERROR);
192 if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG']) {
193 Utility\GeneralUtility::devLog('DataSubmissionController: ' . Utility\GeneralUtility::arrayToLogString($this->dirtyHeaders, '', 200), 'Core', 3);
194 }
195 }
196 }
197 }
198
199 /**
200 * Checks string for suspicious characters
201 *
202 * @param string $string String to check
203 * @return string Valid or empty string
204 */
205 protected function sanitizeHeaderString($string) {
206 $pattern = '/[\\r\\n\\f\\e]/';
207 if (preg_match($pattern, $string) > 0) {
208 $this->dirtyHeaders[] = $string;
209 $string = '';
210 }
211 return $string;
212 }
213
214 /**
215 * Parses mailbox headers and turns them into an array.
216 *
217 * Mailbox headers are a comma separated list of 'name <email@example.org' combinations or plain email addresses (or a mix
218 * of these).
219 * The resulting array has key-value pairs where the key is either a number (no display name in the mailbox header) and the
220 * value is the email address, or the key is the email address and the value is the display name.
221 *
222 * @param string $rawAddresses Comma separated list of email addresses (optionally with display name)
223 * @return array Parsed list of addresses.
224 */
225 protected function parseAddresses($rawAddresses = '') {
226 /** @var $addressParser \TYPO3\CMS\Core\Mail\Rfc822AddressesParser */
227 $addressParser = Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Mail\\Rfc822AddressesParser', $rawAddresses);
228 $addresses = $addressParser->parseAddressList();
229 $addressList = array();
230 foreach ($addresses as $address) {
231 if ($address->personal) {
232 // Item with name found ( name <email@example.org> )
233 $addressList[$address->mailbox . '@' . $address->host] = $address->personal;
234 } else {
235 // Item without name found ( email@example.org )
236 $addressList[] = $address->mailbox . '@' . $address->host;
237 }
238 }
239 return $addressList;
240 }
241
242 /**
243 * Sends the actual mail and handles autorespond message
244 *
245 * @return boolean
246 */
247 public function sendTheMail() {
248 // Sending the mail requires the recipient and message to be set.
249 if (!$this->mailMessage->getTo() || !trim($this->mailMessage->getBody())) {
250 return FALSE;
251 }
252 $this->mailMessage->send();
253 // Auto response
254 if ($this->autoRespondMessage) {
255 $theParts = explode('/', $this->autoRespondMessage, 2);
256 $theParts[0] = str_replace('###SUBJECT###', $this->subject, $theParts[0]);
257 $theParts[1] = str_replace(
258 array('/', '###MESSAGE###'),
259 array(LF, $this->plainContent),
260 $theParts[1]
261 );
262 /** @var $autoRespondMail \TYPO3\CMS\Core\Mail\MailMessage */
263 $autoRespondMail = Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Mail\\MailMessage');
264 $autoRespondMail->setTo($this->fromAddress)->setSubject($theParts[0])->setFrom($this->recipient)->setBody($theParts[1]);
265 $autoRespondMail->send();
266 }
267 return $this->mailMessage->isSent();
268 }
269
270 /**
271 * Do some cleanup at the end (deleting attachment files)
272 */
273 public function __destruct() {
274 foreach ($this->temporaryFiles as $file) {
275 if (Utility\GeneralUtility::isAllowedAbsPath($file) && Utility\GeneralUtility::isFirstPartOfStr($file, PATH_site . 'typo3temp/upload_temp_')) {
276 Utility\GeneralUtility::unlink_tempfile($file);
277 }
278 }
279 }
280
281 }