* All rights reserved * * This script is part of the TYPO3 project. The TYPO3 project is * free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * The GNU General Public License can be found at * http://www.gnu.org/copyleft/gpl.html. * * This script is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * This copyright notice MUST APPEAR in all copies of the script! ***************************************************************/ /** * Class t3lib_formprotection_InstallToolFormProtection. * * This class provides protection against cross-site request forgery (XSRF/CSRF) * in the install tool. * * * How to use this in the install tool: * * For each form in the install tool (or link that changes some data), create a * token and insert is as a hidden form element. The name of the form element * does not matter; you only need it to get the form token for verifying it. * *
* $formToken = $this->formProtection->generateToken( * 'installToolPassword', 'change' * ); * // then puts the generated form token in a hidden field in the template ** * The three parameters $formName, $action and $formInstanceName can be * arbitrary strings, but they should make the form token as specific as * possible. For different forms (e.g. the password change and editing a the * configuration), those values should be different. * * At the end of the form, you need to persist the tokens. This makes sure that * generated tokens get saved, and also that removed tokens stay removed: * *
* $this->formProtection()->persistTokens(); ** * * When processing the data that has been submitted by the form, you can check * that the form token is valid like this: * *
* if ($dataHasBeenSubmitted && $this->formProtection()->validateToken( * (string) $_POST['formToken'], * 'installToolPassword', * 'change' * ) { * // processes the data * } else { * // no need to do anything here as the install tool form protection will * // create an error message for an invalid token * } ** * Note that validateToken invalidates the token with the token ID. So calling * validate with the same parameters two times in a row will always return FALSE * for the second call. * * It is important that the tokens get validated before the tokens are * persisted. This makes sure that the tokens that get invalidated by * validateToken cannot be used again. * * $Id$ * * @package TYPO3 * @subpackage t3lib * * @author Oliver Klee