[!!!][SECURITY] Deny direct FAL commands for form definitions 61/57561/2
authorSusanne Moog <s.moog@neusta.de>
Thu, 12 Jul 2018 09:36:05 +0000 (11:36 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:36:13 +0000 (11:36 +0200)
commitf3445f96442000eeafba95ed7c6fda66efccb8da
treebeaf7cfd24e6d1eaaab724415cf7e6d009aae276
parentb6a04a1278e5336eaf0faca3268dbcb843a0ba7a
[!!!][SECURITY] Deny direct FAL commands for form definitions

Before this change, form definitions have been persisted in regular
`.yaml` files. In order to make the meaning and purpose of those
files more explicit, the new file ending `.form.yaml` is introduced.

Invocations of the file abstraction layer API for those form files
have to be allowed explicitly by granting commands individually using
`FilePersistenceSlot::allowInvocation`.

New form definitions are created with the new file ending per default.
An upgrade wizard renames existing form definitions that are stored in
according storage folders (`allowedFileMounts`). In addition references
in FlexForm of content elements are adjusted to the new file names as
well - in case a form definition has been referenced before.

The file list user interface disabled according direct actions for
`.form.yaml` files or redirects those to the according form module.

Using just `.yaml` instead of `.form.yaml` from site packages
is deprecated. Using just `.yaml` instead of `.form.yaml` from
file storages is not allowed anymore.

Resolves: #84910
Releases: master, 8.7
Security-Commit: 444f9dc4f1902871391bd1f139d19b46a63a162f
Security-Bulletin: TYPO3-CORE-SA-2018-003
Change-Id: I456c03f745e614729cdbf2915efc6b5e6d11fc0f
Reviewed-on: https://review.typo3.org/57561
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
21 files changed:
typo3/sysext/core/Classes/Resource/ResourceStorage.php
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
typo3/sysext/core/Documentation/Changelog/8.7.x/Important-84910-DenyDirectFALCommandsForFormDefinitions.rst [new file with mode: 0644]
typo3/sysext/form/Classes/Hooks/DataStructureIdentifierHook.php
typo3/sysext/form/Classes/Hooks/FileListEditIconsHook.php [new file with mode: 0644]
typo3/sysext/form/Classes/Hooks/FormFileExtensionUpdate.php [new file with mode: 0644]
typo3/sysext/form/Classes/Hooks/FormFileProvider.php [new file with mode: 0644]
typo3/sysext/form/Classes/Hooks/FormPagePreviewRenderer.php
typo3/sysext/form/Classes/Hooks/ImportExportHook.php [new file with mode: 0644]
typo3/sysext/form/Classes/Mvc/Configuration/YamlSource.php
typo3/sysext/form/Classes/Mvc/Persistence/FormPersistenceManager.php
typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php [new file with mode: 0644]
typo3/sysext/form/Classes/Slot/FormDefinitionPersistenceException.php [new file with mode: 0644]
typo3/sysext/form/Resources/Private/Backend/Templates/FormManager/Index.html
typo3/sysext/form/Resources/Private/Language/Database.xlf
typo3/sysext/form/Tests/Unit/Hooks/DataStructureIdentifierHookTest.php
typo3/sysext/form/Tests/Unit/Mvc/Persistence/Fixtures/BlankForm.form.yaml [new file with mode: 0644]
typo3/sysext/form/Tests/Unit/Mvc/Persistence/Fixtures/BlankForm.yaml [deleted file]
typo3/sysext/form/Tests/Unit/Mvc/Persistence/FormPersistenceManagerTest.php
typo3/sysext/form/ext_localconf.php
typo3/sysext/impexp/Classes/Import.php