[BUGFIX] SiteResolver middleware must not care for non int id parameters 37/58337/7
authorAnja <aleichsenring@ab-softlab.de>
Wed, 19 Sep 2018 12:50:56 +0000 (14:50 +0200)
committerSusanne Moog <susanne.moog@typo3.org>
Thu, 20 Sep 2018 07:33:31 +0000 (09:33 +0200)
The FileList module uses the 'id' parameter to pass the directory around,
which makes the parameter a string in this case.
Site Resolver Middleware will no longer care for a parameter named 'id',
which is not strictly an integer.

Change-Id: Ib780ed4e27b78e8f8594ab8b4a6c31f90737a715
Resolves: #86153
Releases: master
Reviewed-on: https://review.typo3.org/58337
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Tobi Kretschmann <tobi@tobishome.de>
Tested-by: Tobi Kretschmann <tobi@tobishome.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
typo3/sysext/backend/Classes/Middleware/SiteResolver.php
typo3/sysext/backend/Tests/Unit/Middleware/SiteResolverTest.php [new file with mode: 0644]

index 0a69484..328ccb5 100644 (file)
@@ -22,6 +22,7 @@ use Psr\Http\Server\RequestHandlerInterface;
 use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Routing\SiteMatcher;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\MathUtility;
 
 /**
  * Usually called after the route object is resolved, however, this is not possible yet as this happens
@@ -43,16 +44,18 @@ class SiteResolver implements MiddlewareInterface
      */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $pageId = (int)($request->getQueryParams()['id'] ?? $request->getParsedBody()['id'] ?? 0);
-
-        $rootLine = null;
-        if ($pageId > 0) {
-            // Check if we have a _GET/_POST parameter for "id", then a site information can be resolved based.
-            $rootLine = BackendUtility::BEgetRootLine($pageId);
+        $pageId = ($request->getQueryParams()['id'] ?? $request->getParsedBody()['id'] ?? 0);
+        // Check if we have a numeric _GET/_POST parameter for "id", then a site information can be resolved based.
+        if (MathUtility::canBeInterpretedAsInteger($pageId)) {
+            $pageId = (int)$pageId;
+            $rootLine = null;
+            if ($pageId > 0) {
+                $rootLine = BackendUtility::BEgetRootLine($pageId);
+            }
+            $site = GeneralUtility::makeInstance(SiteMatcher::class)->matchByPageId($pageId, $rootLine);
+            $request = $request->withAttribute('site', $site);
+            $GLOBALS['TYPO3_REQUEST'] = $request;
         }
-        $site = GeneralUtility::makeInstance(SiteMatcher::class)->matchByPageId($pageId, $rootLine);
-        $request = $request->withAttribute('site', $site);
-        $GLOBALS['TYPO3_REQUEST'] = $request;
         return $handler->handle($request);
     }
 }
diff --git a/typo3/sysext/backend/Tests/Unit/Middleware/SiteResolverTest.php b/typo3/sysext/backend/Tests/Unit/Middleware/SiteResolverTest.php
new file mode 100644 (file)
index 0000000..5aa5347
--- /dev/null
@@ -0,0 +1,56 @@
+<?php
+declare(strict_types = 1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Backend\Tests\Unit\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use TYPO3\CMS\Backend\Middleware\SiteResolver;
+use TYPO3\CMS\Core\Http\JsonResponse;
+use TYPO3\CMS\Core\Http\ServerRequest;
+use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
+
+class SiteResolverTest extends UnitTestCase
+{
+
+    /**
+     * @test
+     */
+    public function RequestIsNotModifiedIfPageIdParameterIsNoInteger()
+    {
+        $incomingUrl = 'http://localhost:8080/typo3/index.php?route=/file/FilelistList/&token=d7d864db2b26c1d0f0537718b16890f336f4af2b&id=9831:/styleguide/';
+
+        $subject = new SiteResolver();
+
+        $incomingRequest = new ServerRequest($incomingUrl, 'GET');
+        $incomingRequest = $incomingRequest->withQueryParams(['id' => '9831:/styleguide/']);
+        $requestHandler = new class implements RequestHandlerInterface {
+            public $incomingRequest;
+            public function handle(ServerRequestInterface $request): ResponseInterface
+            {
+                return new JsonResponse([], $request === $this->incomingRequest ? 200 : 500);
+            }
+            public function setIncomingRequest(ServerRequestInterface $incomingRequest)
+            {
+                $this->incomingRequest = $incomingRequest;
+            }
+        };
+        $requestHandler->setIncomingRequest($incomingRequest);
+        $response = $subject->process($incomingRequest, $requestHandler);
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+}