[SECURITY] Untrusted GP data is unserialized in old CSH handling
[Packages/TYPO3.CMS.git] / typo3 / wizard_list.php
old mode 100755 (executable)
new mode 100644 (file)
index b746227..7a2dda5
@@ -1,22 +1,22 @@
 <?php
 /***************************************************************
 *  Copyright notice
-*  
-*  (c) 1999-2003 Kasper Skaarhoj (kasper@typo3.com)
+*
+*  (c) 1999-2011 Kasper Skårhøj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
-*  This script is part of the TYPO3 project. The TYPO3 project is 
+*  This script is part of the TYPO3 project. The TYPO3 project is
 *  free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
-* 
+*
 *  The GNU General Public License can be found at
 *  http://www.gnu.org/copyleft/gpl.html.
-*  A copy is found in the textfile GPL.txt and important notices to the license 
+*  A copy is found in the textfile GPL.txt and important notices to the license
 *  from the author is found in LICENSE.txt distributed with these scripts.
 *
-* 
+*
 *  This script is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *
 *  This copyright notice MUST APPEAR in all copies of the script!
 ***************************************************************/
-/** 
- * Wizard to list records
- * 
- * @author     Kasper Skaarhoj <kasper@typo3.com>
- * @package TYPO3
- * @subpackage core
+
+/**
+ * Wizard to list records from a page id.
+ *
+ * Revised for TYPO3 3.6 November/2003 by Kasper Skårhøj
+ * XHTML compliant
  *
+ * @author Kasper Skårhøj <kasperYYYY@typo3.com>
  */
 
+$BACK_PATH = '';
+require('init.php');
+$LANG->includeLLFile('EXT:lang/locallang_wizards.xml');
 
-$BACK_PATH="";
-require ("init.php");
-require ("template.php");
-include ("sysext/lang/locallang_wizards.php");
+/**
+ * Script Class for redirecting the user to the Web > List module if a wizard-link has been clicked in TCEforms
+ *
+ * @author Kasper Skårhøj <kasperYYYY@typo3.com>
+ * @package TYPO3
+ * @subpackage core
+ */
+class SC_wizard_list {
 
+               // Internal, static:
+               // PID
+       var $pid;
 
-// ***************************
-// Script Classes
-// ***************************
-class SC_wizard_list {
+               // Internal, static: GPvars
+               // Wizard parameters, coming from TCEforms linking to the wizard.
        var $P;
-       var $pid;
+               // Table to show, if none, then all tables are listed in list module.
        var $table;
-       
-       function init() {
-               $this->P = t3lib_div::GPvar("P",1);
-       }
-       function main() {
-               global $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$HTTP_GET_VARS,$HTTP_POST_VARS,$CLIENT,$TYPO3_CONF_VARS;
-               
-               $this->table = t3lib_div::GPvar("table");
-
-               // Get this record
-               $origRow = t3lib_BEfunc::getRecord($this->P["table"],$this->P["uid"]);
-               
-               // Get TSconfig for it.
-               $TSconfig = t3lib_BEfunc::getTCEFORM_TSconfig($this->table,is_array($origRow)?$origRow:array("pid"=>$this->P["pid"]));
-               // Set [params][pid]
-               if (substr($this->P["params"]["pid"],0,3)=="###" && substr($this->P["params"]["pid"],-3)=="###")        {
-                       $this->pid = intval($TSconfig["_".substr($this->P["params"]["pid"],3,-3)]);
-               } else $this->pid = intval($this->P["params"]["pid"]);
-               
-               if (!strcmp($this->pid,"") || strcmp(t3lib_div::GPvar("id"),""))        {
-                       header("Location: ".t3lib_div::locationHeaderUrl($this->P["returnUrl"]));
-               } else {
-                       header("Location: ".t3lib_div::locationHeaderUrl("db_list.php?id=".$this->pid."&table=".$this->P["params"]["table"]."&returnUrl=".rawurlencode(t3lib_div::getIndpEnv("REQUEST_URI"))));
-               }
+               // Page id to list.
+       var $id;
+
+       /**
+        * Initialization of the class, setting GPvars.
+        *
+        * @return      void
+        */
+       function init() {
+               $this->P = t3lib_div::_GP('P');
+               $this->table = t3lib_div::_GP('table');
+               $this->id = t3lib_div::_GP('id');
        }
-}
-
-// Include extension?
-if (defined("TYPO3_MODE") && $TYPO3_CONF_VARS[TYPO3_MODE]["XCLASS"]["typo3/wizard_list.php"])  {
-       include_once($TYPO3_CONF_VARS[TYPO3_MODE]["XCLASS"]["typo3/wizard_list.php"]);
-}
-
-
-
-
-
-
 
+       /**
+        * Main function
+        * Will issue a location-header, redirecting either BACK or to a new alt_doc.php instance...
+        *
+        * @return void
+        */
+       function main() {
 
+                       // Get this record
+               $origRow = t3lib_BEfunc::getRecord($this->P['table'], $this->P['uid']);
 
+                       // Get TSconfig for it.
+               $TSconfig = t3lib_BEfunc::getTCEFORM_TSconfig($this->table, is_array($origRow)?$origRow:array('pid'=>$this->P['pid']));
 
+                       // Set [params][pid]
+               if (substr($this->P['params']['pid'], 0, 3) == '###' && substr($this->P['params']['pid'], -3) == '###') {
+                       $this->pid = intval($TSconfig['_'.substr($this->P['params']['pid'], 3, -3)]);
+               } else {
+                       $this->pid = intval($this->P['params']['pid']);
+               }
 
+                       // Make redirect:
+                       // If pid is blank OR if id is set, then return...
+               if (!strcmp($this->pid, '') || strcmp($this->id, '')) {
+                       $redirectUrl = t3lib_div::sanitizeLocalUrl($this->P['returnUrl']);
+               } else {        // Otherwise, show the list:
+                       $urlParameters = array();
+                       $urlParameters['id'] = $this->pid;
+                       $urlParameters['table'] = $this->P['params']['table'];
+                       $urlParameters['returnUrl'] = t3lib_div::getIndpEnv('REQUEST_URI');
+                       $redirectUrl = t3lib_BEfunc::getModuleUrl('web_list', $urlParameters);
+               }
+               t3lib_utility_Http::redirect($redirectUrl);
+       }
+}
 
-// Make instance:
-$SOBE = t3lib_div::makeInstance("SC_wizard_list");
+       // Make instance:
+$SOBE = t3lib_div::makeInstance('SC_wizard_list');
 $SOBE->init();
 $SOBE->main();
-$SOBE->printContent();
+
 ?>
\ No newline at end of file