Fixed issue #17153: Protect C(R)UD actions against CSRF (Thanks to Helmut Hummel)
authorErnesto Baschny <ernst@cron-it.de>
Thu, 20 Jan 2011 14:54:34 +0000 (14:54 +0000)
committerErnesto Baschny <ernst@cron-it.de>
Thu, 20 Jan 2011 14:54:34 +0000 (14:54 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10161 709f56b5-9817-0410-a4d7-c38de5d9e867

30 files changed:
ChangeLog
t3lib/class.t3lib_befunc.php
t3lib/class.t3lib_clipboard.php
t3lib/class.t3lib_fullsearch.php
t3lib/class.t3lib_pagerenderer.php
t3lib/class.t3lib_positionmap.php
t3lib/class.t3lib_tceforms.php
t3lib/core_autoload.php
t3lib/extjs/class.t3lib_extjs_extdirectrouter.php
t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php
t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php [new file with mode: 0644]
typo3/alt_clickmenu.php
typo3/alt_doc.php
typo3/alt_menu.php
typo3/backend.php
typo3/class.alt_menu_functions.inc
typo3/classes/class.clearcachemenu.php
typo3/db_new.php
typo3/js/clearcachemenu.js
typo3/mod.php
typo3/move_el.php
typo3/sysext/cms/layout/db_layout.php
typo3/sysext/info/mod1/index.php
typo3/sysext/list/mod1/index.php
typo3/sysext/lowlevel/dbint/index.php
typo3/sysext/perm/mod1/index.php
typo3/sysext/taskcenter/task/index.php
typo3/tce_db.php
typo3/template.php
typo3/wizard_rte.php

index 8366141..18535cc 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,7 @@
 
 2011-01-20  Ernesto Baschny  <ernst@cron-it.de>
 
+       * Fixed issue #17153: Protect C(R)UD actions against CSRF (Thanks to Helmut Hummel)
        * Fixed bug #17163: CSH tooltips should be placed nearer to the text (Thanks to Stanislas Rolland)
        * Fixed issue #17109: Make the t3lib_utility_Mail hook subscriber optional / configureable
 
index c3ce707..ef59e8c 100644 (file)
@@ -3290,6 +3290,18 @@ final class t3lib_BEfunc {
                }
        }
 
+       /**
+        * Generates a token and returns a parameter for the URL
+        *
+        * @param string $formName Context of the token
+        * @param string $tokenName The name of the token GET variable
+        * @return string a URL GET variable including ampersand
+        */
+       public static function getUrlToken($formName = 'securityToken', $tokenName = 'formToken') {
+               $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+               return '&' . $tokenName . '=' . $formprotection->generateToken($formName);
+       }
+
        /*******************************************
         *
         * Core
index d177e64..9982816 100644 (file)
@@ -636,7 +636,8 @@ class t3lib_clipboard {
                                '&vC=' . $GLOBALS['BE_USER']->veriCode() .
                                '&prErr=1&uPT=1' .
                                '&CB[paste]=' . rawurlencode($table . '|' . $uid) .
-                               '&CB[pad]=' . $this->current;
+                               '&CB[pad]=' . $this->current .
+                               t3lib_BEfunc::getUrlToken('tceAction');
                return $rU;
        }
 
@@ -653,7 +654,8 @@ class t3lib_clipboard {
                                '&vC=' . $GLOBALS['BE_USER']->veriCode() .
                                '&prErr=1&uPT=1' .
                                '&CB[delete]=1' .
-                               '&CB[pad]=' . $this->current;
+                               '&CB[pad]=' . $this->current .
+                               t3lib_BEfunc::getUrlToken('tceAction');
                return $rU;
        }
 
index 9099270..4755aa9 100644 (file)
@@ -658,9 +658,22 @@ class t3lib_fullsearch {
                        $out .= '<a href="#" onClick="top.launchView(\'' . $table . '\',' . $row['uid'] . ',\'' . $GLOBALS['BACK_PATH'] . '\');return false;">' . t3lib_iconWorks::getSpriteIcon('status-dialog-information') . '</a>';
                        $out .= '<a href="#" onClick="' . t3lib_BEfunc::editOnClick($params, $GLOBALS['BACK_PATH'], t3lib_div::getIndpEnv('REQUEST_URI') . t3lib_div::implodeArrayForUrl('SET', (array) t3lib_div::_POST('SET'))) . '">' . t3lib_iconWorks::getSpriteIcon('actions-document-open') . '</a>';
                } else {
-                       $out .= '<a href="' . t3lib_div::linkThisUrl($GLOBALS['BACK_PATH'] . 'tce_db.php', array('cmd[' . $table . '][' . $row['uid'] . '][undelete]' => '1', 'redirect' => t3lib_div::linkThisScript(array()))) . '">';
+                       $out .= '<a href="' . t3lib_div::linkThisUrl($GLOBALS['BACK_PATH'] . 'tce_db.php',
+                                       array(
+                                               'cmd[' . $table . '][' . $row['uid'] . '][undelete]' => '1',
+                                               'redirect' => t3lib_div::linkThisScript(array()))) . t3lib_BEfunc::getUrlToken('tceAction') . '">';
                        $out .= t3lib_iconWorks::getSpriteIcon('actions-edit-restore', array('title' => 'undelete only')) . '</a>';
-                       $out .= '<a href="' . t3lib_div::linkThisUrl($GLOBALS['BACK_PATH'] . 'tce_db.php', array('cmd[' . $table . '][' . $row['uid'] . '][undelete]' => '1', 'redirect' => t3lib_div::linkThisUrl('alt_doc.php', array('edit[' . $table . '][' . $row['uid'] . ']' => 'edit', 'returnUrl' => t3lib_div::linkThisScript(array()))))) . '">';
+                       $out .= '<a href="' . t3lib_div::linkThisUrl($GLOBALS['BACK_PATH'] . 'tce_db.php',
+                                       array(
+                                               'cmd[' . $table . '][' . $row['uid'] . '][undelete]' => '1',
+                                               'redirect' => t3lib_div::linkThisUrl('alt_doc.php',
+                                                       array(
+                                                               'edit[' . $table . '][' . $row['uid'] . ']' => 'edit',
+                                                               'returnUrl' => t3lib_div::linkThisScript(array())
+                                                       )
+                                               )
+                                       )
+                               ) . t3lib_BEfunc::getUrlToken('tceAction') . '">';
                        $out .= t3lib_iconWorks::getSpriteIcon('actions-edit-restore-edit', array('title' => 'undelete and edit')) . '</a>';
                }
                $_params = array($table => $row);
index d6312c8..612120f 100644 (file)
@@ -945,12 +945,26 @@ class t3lib_PageRenderer implements t3lib_Singleton {
         * @return void
         */
        public function addExtDirectCode() {
+               $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+               $token = $formprotection->generateToken('extDirect');
+               $formprotection->persistTokens();
+
                        // Note: we need to iterate thru the object, because the addProvider method
                        // does this only with multiple arguments
-               $this->addExtOnReadyCode(
-                       'for (var api in Ext.app.ExtDirectAPI) {
-                               Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);
-                       }
+               $this->addExtOnReadyCode('
+                       (function() {
+                               var token = "' . $token . '";
+                               for (var api in Ext.app.ExtDirectAPI) {
+                                       var provider = Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);
+                                       provider.on("beforecall", function(provider, transaction, meta) {
+                                               if (transaction.data) {
+                                                       transaction.data[transaction.data.length] = token;
+                                               } else {
+                                                       transaction.data = [token];
+                                               }
+                                       });
+                               }
+                       })();
 
                        var extDirectDebug = function(message, header, group) {
                                var TYPO3ViewportInstance = null;
index f2d83c6..c3b7225 100644 (file)
@@ -496,9 +496,9 @@ class t3lib_positionMap {
        function onClickInsertRecord($row, $vv, $moveUid, $pid, $sys_lang = 0) {
                $table = 'tt_content';
                if (is_array($row)) {
-                       $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode();
+                       $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction');
                } else {
-                       $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode();
+                       $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction');
                }
                        //              $location.='&redirect='.rawurlencode($this->R_URI);             // returns to prev. page
                $location .= '&uPT=1&redirect=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')); // This redraws screen
index a37ff16..bdc9655 100644 (file)
@@ -4977,6 +4977,18 @@ class t3lib_TCEforms {
        }
 
        /**
+        * Generates a token and returns an input field with it
+        *
+        * @param string $formName Context of the token
+        * @param string $tokenName The name of the token GET/POST variable
+        * @return string a complete input field
+        */
+       public static function getHiddenTokenField($formName = 'securityToken', $tokenName = 'formToken') {
+               $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+               return '<input type="hidden" name="' .$tokenName . '" value="' . $formprotection->generateToken($formName) . '" />';
+       }
+
+       /**
         * This replaces markers in the total wrap
         *
         * @param       array           An array of template parts containing some markers.
index af00fed..cd1686d 100644 (file)
@@ -126,6 +126,7 @@ $t3libClasses = array(
        't3lib_formprotection_abstract' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_abstract.php',
        't3lib_formprotection_backendformprotection' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_backendformprotection.php',
        't3lib_formprotection_installtoolformprotection' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_installtoolformprotection.php',
+       't3lib_formprotection_invalidtokenexception' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_invalidtokenexception.php',
        't3lib_localrecordlistgettablehook' => PATH_t3lib . 'interfaces/interface.t3lib_localrecordlistgettablehook.php',
        't3lib_mail_maileradapter' => PATH_t3lib . 'interfaces/interface.t3lib_mail_maileradapter.php',
        't3lib_pageselect_getpagehook' => PATH_t3lib . 'interfaces/interface.t3lib_pageselect_getpagehook.php',
index 2a84543..2a66702 100644 (file)
@@ -74,6 +74,8 @@ class t3lib_extjs_ExtDirectRouter {
                        $request = array($request);
                }
 
+               $validToken = FALSE;
+               $firstCall = TRUE;
                foreach ($request as $index => $singleRequest) {
                        $response[$index] = array(
                                'tid' => $singleRequest->tid,
@@ -81,7 +83,18 @@ class t3lib_extjs_ExtDirectRouter {
                                'method' => $singleRequest->method
                        );
 
+                       $token = array_pop($singleRequest->data);
+                       if ($firstCall) {
+                               $firstCall = FALSE;
+                               $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+                               $validToken = $formprotection->validateToken($token, 'extDirect');
+                       }
+
                        try {
+                               if (!$validToken) {
+                                       throw new t3lib_formprotection_InvalidTokenException('ExtDirect: Invalid Security Token!');
+                               }
+
                                $response[$index]['type'] = 'rpc';
                                $response[$index]['result'] = $this->processRpc($singleRequest, $namespace);
                                $response[$index]['debug'] = $GLOBALS['error']->toString();
index 9c977bf..3f5dc4d 100644 (file)
@@ -142,7 +142,8 @@ class t3lib_formprotection_BackendFormProtection extends t3lib_formprotection_Ab
                                'LLL:EXT:lang/locallang_core.xml:error.formProtection.tokenInvalid'
                        ),
                        '',
-                       t3lib_FlashMessage::ERROR
+                       t3lib_FlashMessage::ERROR,
+                       TRUE
                );
                t3lib_FlashMessageQueue::addMessage($message);
        }
diff --git a/t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php b/t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php
new file mode 100644 (file)
index 0000000..5451160
--- /dev/null
@@ -0,0 +1,44 @@
+<?php
+/***************************************************************
+ *  Copyright notice
+ *
+ *  (c) 2011 Helmut Hummel <helmut.hummel@typo3.org>
+ *  All rights reserved
+ *
+ *  This script is part of the TYPO3 project. The TYPO3 project is
+ *  free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  The GNU General Public License can be found at
+ *  http://www.gnu.org/copyleft/gpl.html.
+ *
+ *  This script is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  This copyright notice MUST APPEAR in all copies of the script!
+ ***************************************************************/
+
+
+/**
+ * Invalid token exception
+ *
+ *
+ * @package TYPO3
+ * @subpackage t3lib_formprotection
+ * @api
+ * @version $Id$
+ */
+class t3lib_formprotection_InvalidTokenException extends UnexpectedValueException {
+
+}
+
+
+if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php'])) {
+       include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php']);
+}
+
+?>
index f40272e..2becac0 100644 (file)
@@ -753,7 +753,7 @@ class clickMenu {
                        $conf = '1==1';
                }
                $editOnClick = 'if(' . $loc . " && " . $conf . " ){" . $loc . ".location.href=top.TS.PATH_typo3+'tce_db.php?redirect='+top.rawurlencode(" . $this->frameLocation($loc . '.document') . ")+'".
-                       "&cmd[".$table.']['.$uid.'][delete]=1&prErr=1&vC='.$GLOBALS['BE_USER']->veriCode()."';}hideCM();top.nav.refresh();";
+                       "&cmd[" . $table . '][' . $uid . '][delete]=1&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . "';}hideCM();top.nav.refresh();";
 
                return $this->linkItem(
                        $this->label('delete'),
@@ -823,7 +823,7 @@ class clickMenu {
                $loc = 'top.content.list_frame';
                $editOnClick = 'if(' . $loc . '){' . $loc . ".location.href=top.TS.PATH_typo3+'tce_db.php?redirect='+top.rawurlencode(" . $this->frameLocation($loc . '.document') . ")+'" .
                        "&data[" . $table . '][' . $uid . '][' . $flagField . ']=' .
-                ($rec[$flagField] ? 0 : 1) .'&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode()."';}hideCM();top.nav.refresh();";
+                ($rec[$flagField] ? 0 : 1) . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . "';}hideCM();top.nav.refresh();";
 
                return $this->linkItem(
                        $title,
@@ -1140,7 +1140,7 @@ class clickMenu {
                $editOnClick='';
                $loc = 'top.content.list_frame';
                $editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"tce_db.php?redirect="+top.rawurlencode(' . $this->frameLocation($loc . '.document') . ')+"' .
-                       '&cmd[pages]['.$srcUid.']['.$action.']='.$negativeSign.$dstUid.'&prErr=1&vC='.$GLOBALS['BE_USER']->veriCode().'";}hideCM();top.nav.refresh();';
+                       '&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . '";}hideCM();top.nav.refresh();';
 
                return $this->linkItem(
                        $this->label($action.'Page_'.$into),
@@ -1784,5 +1784,5 @@ foreach($SOBE->include_once as $INC_FILE) include_once($INC_FILE);
 
 $SOBE->main();
 $SOBE->printContent();
-
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 ?>
index b728ed8..60bded7 100644 (file)
@@ -483,7 +483,7 @@ class SC_alt_doc {
                                if (
                                        '.($GLOBALS['BE_USER']->jsConfirmation(4)?'confirm('.$LANG->JScharCode($LANG->getLL('deleteWarning')).')':'1==1').'
                                )       {
-                                       window.location.href = "tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC='.$BE_USER->veriCode().'&prErr=1&uPT=1";
+                                       window.location.href = "tce_db.php?cmd["+table+"]["+id+"][delete]=1' . t3lib_BEfunc::getUrlToken('tceAction') . '&redirect="+escape(url)+"&vC=' . $BE_USER->veriCode() . '&prErr=1&uPT=1";
                                }
                                return false;
                        }
@@ -969,7 +969,7 @@ class SC_alt_doc {
                        <input type="hidden" name="closeDoc" value="0" />
                        <input type="hidden" name="doSave" value="0" />
                        <input type="hidden" name="_serialNumber" value="'.md5(microtime()).'" />
-                       <input type="hidden" name="_scrollPosition" value="" />';
+                       <input type="hidden" name="_scrollPosition" value="" />' . t3lib_TCEforms::getHiddenTokenField('editRecord');
 
                return $formContent;
        }
@@ -986,7 +986,7 @@ class SC_alt_doc {
                        // Show palettes:
                        return '
                                <!-- Function menu (checkbox for showing all palettes): -->
-                               <br />'.t3lib_BEfunc::getFuncCheck('','SET[showPalettes]',$this->MOD_SETTINGS['showPalettes'],'alt_doc.php',t3lib_div::implodeArrayForUrl('',array_merge($this->R_URL_getvars,array('SET'=>''))),'id="checkShowPalettes"').'<label for="checkShowPalettes">'.$LANG->sL('LLL:EXT:lang/locallang_core.php:labels.showPalettes',1).'</label>';
+                               <br />'.t3lib_BEfunc::getFuncCheck('','SET[showPalettes]',$this->MOD_SETTINGS['showPalettes'],'alt_doc.php',t3lib_div::implodeArrayForUrl('',array_merge($this->R_URL_getvars,array('SET'=>''))) . t3lib_BEfunc::getUrlToken('editRecord'),'id="checkShowPalettes"').'<label for="checkShowPalettes">'.$LANG->sL('LLL:EXT:lang/locallang_core.php:labels.showPalettes',1).'</label>';
                }
                else {
                        return '';
@@ -1137,14 +1137,14 @@ class SC_alt_doc {
                                                        if($newTranslation) {
                                                                $href = $this->doc->issueCommand(
                                                                        '&cmd['.$table.']['.$rowsByLang[0]['uid'].'][localize]='.$lang['uid'],
-                                                                       $this->backPath.'alt_doc.php?justLocalized='.rawurlencode($table.':'.$rowsByLang[0]['uid'].':'.$lang['uid']).'&returnUrl='.rawurlencode($this->retUrl)
+                                                                       $this->backPath.'alt_doc.php?justLocalized='.rawurlencode($table.':'.$rowsByLang[0]['uid'].':'.$lang['uid']).'&returnUrl='.rawurlencode($this->retUrl) . t3lib_BEfunc::getUrlToken('editRecord')
                                                                );
 
                                                                // create edit url
                                                        } else {
                                                                $href = $this->backPath.'alt_doc.php?';
                                                                $href .= '&edit['.$table.']['.$rowsByLang[$lang['uid']]['uid'].']=edit';
-                                                               $href .= '&returnUrl='.rawurlencode($this->retUrl);
+                                                               $href .= '&returnUrl='.rawurlencode($this->retUrl) . t3lib_BEfunc::getUrlToken('editRecord');
                                                        }
 
                                                        $langSelItems[$lang['uid']]='
@@ -1191,7 +1191,7 @@ class SC_alt_doc {
                                        // Create parameters and finally run the classic page module for creating a new page translation
                                $params = '&edit['.$table.']['.$localizedRecord['uid'].']=edit';
                                $returnUrl = '&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')));
-                               $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl;
+                               $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl . t3lib_BEfunc::getUrlToken('editRecord');
 
                                t3lib_utility_Http::redirect($location);
                        }
@@ -1209,7 +1209,7 @@ class SC_alt_doc {
                global $LANG;
 
                $modSharedTSconfig = t3lib_BEfunc::getModTSconfig($id, 'mod.SHARED');
-               
+
                        // fallback non sprite-configuration
                if (preg_match('/\.gif$/', $modSharedTSconfig['properties']['defaultLanguageFlag'])) {
                        $modSharedTSconfig['properties']['defaultLanguageFlag'] = str_replace('.gif', '', $modSharedTSconfig['properties']['defaultLanguageFlag']);
@@ -1490,14 +1490,19 @@ $SOBE = t3lib_div::makeInstance('SC_alt_doc');
 
 // Preprocessing, storing data if submitted to
 $SOBE->preInit();
+
+$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+
 if ($SOBE->doProcessData())    {               // Checks, if a save button has been clicked (or the doSave variable is sent)
-       $SOBE->processData();
+       if ($formprotection->validateToken(t3lib_div::_GP('formToken'), 'editRecord')) {
+               $SOBE->processData();
+       }
 }
 
-
 // Main:
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+$formprotection->persistTokens();
 
 ?>
index 6ea459a..eef395b 100644 (file)
@@ -224,5 +224,6 @@ $SOBE = t3lib_div::makeInstance('SC_alt_menu');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 44e47a2..7b490e3 100644 (file)
@@ -38,7 +38,6 @@ require('classes/class.clearcachemenu.php');
 require('classes/class.shortcutmenu.php');
 require('classes/class.livesearch.php');
 
-require_once('class.alt_menu_functions.inc');
 $GLOBALS['LANG']->includeLLFile('EXT:lang/locallang_misc.xml');
 
 
index 9b9f4ed..f426ec7 100644 (file)
@@ -599,7 +599,11 @@ class alt_menu_functions {
                        $functions[]=array(
                                'id' => 'temp_CACHED',
                                'title' => $title,
-                               'href' => $backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')).'&cacheCmd=temp_CACHED',
+                               'href' => $backPath .
+                                               'tce_db.php?vC=' . $BE_USER->veriCode() .
+                                               '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')) .
+                                               '&cacheCmd=temp_CACHED' .
+                                               t3lib_BEfunc::getUrlToken('tceAction'),
                                'icon' => '<img'.t3lib_iconWorks::skinImg($backPath,'gfx/clear_cache_files_in_typo3c.gif','width="21" height="18"').' title="'.htmlspecialchars($title).'" alt="" />'
                        );
                }
@@ -609,7 +613,10 @@ class alt_menu_functions {
                $functions[]=array(
                        'id' => 'all',
                        'title' => $title,
-                       'href' => $backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')).'&cacheCmd=all',
+                       'href' => $backPath . 'tce_db.php?vC=' . $BE_USER->veriCode() .
+                                       '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')) .
+                                       '&cacheCmd=all' .
+                                       t3lib_BEfunc::getUrlToken('tceAction'),
                        'icon' => '<img'.t3lib_iconWorks::skinImg($backPath,'gfx/clear_all_cache.gif','width="21" height="18"').' title="'.htmlspecialchars($title).'" alt="" />'
                );
 
index 3f59fb9..1c70490 100644 (file)
@@ -63,7 +63,11 @@ class ClearCacheMenu implements backend_toolbarItem {
                        $this->cacheActions[] = array(
                                'id'    => 'all',
                                'title' => $title,
-                               'href'  => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=all',
+                               'href'  => $this->backPath .
+                                               'tce_db.php?vC=' .
+                                               $GLOBALS['BE_USER']->veriCode() .
+                                               '&cacheCmd=all&ajaxCall=1' .
+                                               t3lib_BEfunc::getUrlToken('tceAction'),
                                'icon'  => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-high')
                        );
                }
@@ -74,7 +78,11 @@ class ClearCacheMenu implements backend_toolbarItem {
                        $this->cacheActions[] = array(
                                'id'    => 'pages',
                                'title' => $title,
-                               'href'  => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=pages',
+                               'href'  => $this->backPath .
+                                               'tce_db.php?vC=' .
+                                               $GLOBALS['BE_USER']->veriCode() .
+                                               '&cacheCmd=pages&ajaxCall=1' .
+                                               t3lib_BEfunc::getUrlToken('tceAction'),
                                'icon'  => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-medium')
                        );
                }
@@ -85,7 +93,11 @@ class ClearCacheMenu implements backend_toolbarItem {
                        $this->cacheActions[] = array(
                                'id'    => 'temp_CACHED',
                                'title' => $title,
-                               'href'  => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=temp_CACHED',
+                               'href'  => $this->backPath .
+                                               'tce_db.php?vC=' .
+                                               $GLOBALS['BE_USER']->veriCode() .
+                                               '&cacheCmd=temp_CACHED&ajaxCall=1' .
+                                               t3lib_BEfunc::getUrlToken('tceAction'),
                                'icon'  => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-low')
                        );
                }
@@ -103,6 +115,7 @@ class ClearCacheMenu implements backend_toolbarItem {
                        }
                }
 
+               t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
        }
 
        /**
@@ -176,4 +189,4 @@ if(defined('TYPO3_MODE') && $GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['typo3/classes/class.clearcachemenu.php']);
 }
 
-?>
\ No newline at end of file
+?>
index 95370f5..b932309 100644 (file)
@@ -733,5 +733,6 @@ $SOBE = t3lib_div::makeInstance('SC_db_new');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 5a0410c..8a71b08 100644 (file)
@@ -120,16 +120,20 @@ var ClearCacheMenu = Class.create({
                var oldIcon = toolbarItemIcon.replace(spinner);
 
                if (clickedElement.tagName === 'SPAN') {
-                       url =  clickedElement.up('a').href;
+                       link =  clickedElement.up('a');
                } else {
-                       url =  clickedElement.href;
+                       link =  clickedElement;
                }
 
-               if (url) {
-                       var call = new Ajax.Request(url, {
+               if (link.href) {
+                       var call = new Ajax.Request(link.href, {
                                'method': 'get',
-                               'onComplete': function() {
+                               'onComplete': function(result) {
                                        spinner.replace(oldIcon);
+                                               // replace used token with new one
+                                       if (result.responseText.length > 0) {
+                                               link.href = link.href.substr(0, link.href.length - result.responseText.length) + result.responseText
+                                       }
                                }.bind(this)
                        });
                }
index 871206e..6dc5c21 100644 (file)
@@ -65,4 +65,7 @@ if ($temp_path = $TBE_MODULES['_PATHS'][$temp_M]) {
 if ($isDispatched === FALSE) {
        die('Value "' . htmlspecialchars($temp_M) . '" for "M" was not found as a module');
 }
+
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
+
 ?>
\ No newline at end of file
index 30cec1a..6e61c8b 100644 (file)
@@ -130,7 +130,11 @@ class ext_posMap_pages extends t3lib_positionMap {
         * @return      string          Onclick attribute content
         */
        function onClickEvent($pid,$newPagePID) {
-               return 'window.location.href=\'tce_db.php?cmd[pages]['.$GLOBALS['SOBE']->moveUid.']['.$this->moveOrCopy.']='.$pid.'&redirect='.rawurlencode($this->R_URI).'&prErr=1&uPT=1&vC='.$GLOBALS['BE_USER']->veriCode().'\';return false;';
+               return 'window.location.href=\'tce_db.php?cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid .
+                               '&redirect=' . rawurlencode($this->R_URI) .
+                               '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() .
+                               t3lib_BEfunc::getUrlToken('tceAction') .
+                               '\';return false;';
        }
 
        /**
@@ -462,5 +466,6 @@ $SOBE = t3lib_div::makeInstance('SC_move_el');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index ea85784..70a5f4c 100755 (executable)
@@ -445,7 +445,7 @@ class SC_db_layout {
 
                                function deleteRecord(table,id,url)     {       //
                                        if (confirm('.$LANG->JScharCode($LANG->getLL('deleteWarning')).'))      {
-                                               window.location.href = "'.$BACK_PATH.'tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC='.$BE_USER->veriCode().'&prErr=1&uPT=1";
+                                               window.location.href = "'.$BACK_PATH.'tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC=' . $BE_USER->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . '&prErr=1&uPT=1";
                                        }
                                        return false;
                                }
@@ -902,7 +902,7 @@ class SC_db_layout {
                                        <input type="hidden" name="_disableRTE" value="'.$tceforms->disableRTE.'" />
                                        <input type="hidden" name="edit_record" value="'.$edit_record.'" />
                                        <input type="hidden" name="redirect" value="'.htmlspecialchars($uidVal=='new' ? t3lib_extMgm::extRelPath('cms').'layout/db_layout.php?id='.$this->id.'&new_unique_uid='.$new_unique_uid.'&returnUrl='.rawurlencode($this->returnUrl) : $this->R_URI ).'" />
-                                       ';
+                                       ' . t3lib_TCEforms::getHiddenTokenField('tceAction');
 
                                        // Add JavaScript as needed around the form:
                                $theCode=$tceforms->printNeededJSFunctions_top().$theCode.$tceforms->printNeededJSFunctions();
@@ -1413,5 +1413,6 @@ foreach($SOBE->include_once as $INC_FILE) include_once($INC_FILE);
 $SOBE->clearCache();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
\ No newline at end of file
index 10ee85b..8f67956 100755 (executable)
@@ -233,5 +233,6 @@ $SOBE->checkSubExtObj();    // Checking second level external objects
 
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 1bcd41b..3326879 100644 (file)
@@ -513,5 +513,6 @@ foreach($SOBE->include_once as $INC_FILE)   include_once($INC_FILE);
 $SOBE->clearCache();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 166004c..16e0d21 100755 (executable)
@@ -694,5 +694,6 @@ $SOBE = t3lib_div::makeInstance('SC_mod_tools_dbint_index');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 2e92fc8..910d2d5 100755 (executable)
@@ -516,7 +516,7 @@ class SC_mod_web_perm_index {
                        <input type="submit" name="submit" value="'.$LANG->getLL('Save',1).'" />'.
                        '<input type="submit" value="'.$LANG->getLL('Abort',1).'" onclick="'.htmlspecialchars('jumpToUrl(\'index.php?id='.$this->id.'\'); return false;').'" />
                        <input type="hidden" name="redirect" value="'.htmlspecialchars(TYPO3_MOD_PATH.'index.php?mode='.$this->MOD_SETTINGS['mode'].'&depth='.$this->MOD_SETTINGS['depth'].'&id='.intval($this->return_id).'&lastEdited='.$this->id).'" />
-               ';
+               ' . t3lib_TCEforms::getHiddenTokenField('tceAction');
 
                        // Adding section with the permission setting matrix:
                $this->content.=$this->doc->divider(5);
@@ -851,5 +851,6 @@ $SOBE = t3lib_div::makeInstance('SC_mod_web_perm_index');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index 9329c5b..729cf58 100755 (executable)
@@ -534,5 +534,6 @@ foreach($SOBE->include_once as $INC_FILE) {
 
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>
index f87a5ad..e098672 100644 (file)
@@ -246,8 +246,23 @@ $SOBE->init();
 // Include files?
 foreach($SOBE->include_once as $INC_FILE)      include_once($INC_FILE);
 
-$SOBE->initClipboard();
-$SOBE->main();
+$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+
+if ($formprotection->validateToken(t3lib_div::_GP('formToken'), 'tceAction')) {
+       $SOBE->initClipboard();
+       $SOBE->main();
+
+               // This is done for the clear cache menu, so that it gets a new token
+               // making it possible to clear cache several times.
+       if (t3lib_div::_GP('ajaxCall')) {
+               $token = array();
+               $token['value'] = $formprotection->generateToken('tceAction');
+               $token['name'] = 'formToken';
+                       // This will be used by clearcachemenu.js to replace the token for the next call
+               echo t3lib_BEfunc::getUrlToken('tceAction');
+       }
+}
+$formprotection->persistTokens();
 $SOBE->finish();
 
 ?>
index 5a7e707..d63efea 100644 (file)
@@ -423,11 +423,15 @@ class template {
         */
        function issueCommand($params,$rUrl='') {
                $rUrl = $rUrl ? $rUrl : t3lib_div::getIndpEnv('REQUEST_URI');
-               return $this->backPath.'tce_db.php?'.
-                               $params.
-                               '&redirect='.($rUrl==-1?"'+T3_THIS_LOCATION+'":rawurlencode($rUrl)).
-                               '&vC='.rawurlencode($GLOBALS['BE_USER']->veriCode()).
+               $commandUrl = $this->backPath.'tce_db.php?' .
+                               $params .
+                               '&redirect=' . ($rUrl==-1 ? "'+T3_THIS_LOCATION+'" : rawurlencode($rUrl)) .
+                               '&vC='.rawurlencode($GLOBALS['BE_USER']->veriCode()) .
+                               t3lib_BEfunc::getUrlToken('tceAction') .
                                '&prErr=1&uPT=1';
+
+               t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
+               return $commandUrl;
        }
 
        /**
@@ -1556,12 +1560,17 @@ $str.=$this->docBodyTagBegin().
                                this.selectedIndex=0;
                        } else if (this.options[this.selectedIndex].value.indexOf(\';\')!=-1) {
                                eval(this.options[this.selectedIndex].value);
-                       }else{
-                               window.location.href=\''.$this->backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')).'&cacheCmd=\'+this.options[this.selectedIndex].value;
+                       } else {
+                               window.location.href=\'' . $this->backPath .
+                                               'tce_db.php?vC=' . $BE_USER->veriCode() .
+                                               t3lib_BEfunc::getUrlToken('tceAction') .
+                                               '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')) .
+                                               '&cacheCmd=\'+this.options[this.selectedIndex].value;
                        }';
                $af_content = '<select name="cacheCmd" onchange="'.htmlspecialchars($onChange).'">'.implode('',$opt).'</select>';
 
                if (count($opt)>1)      {
+                       t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
                        return $af_content;
                }
        }
index a692299..243f444 100644 (file)
@@ -198,7 +198,8 @@ class SC_wizard_rte {
 
                                // Adding hidden fields:
                        $formContent.= '<input type="hidden" name="redirect" value="'.htmlspecialchars($this->R_URI).'" />
-                                               <input type="hidden" name="_serialNumber" value="'.md5(microtime()).'" />';
+                                               <input type="hidden" name="_serialNumber" value="'.md5(microtime()).'" />' .
+                                               t3lib_TCEforms::getHiddenTokenField('tceAction');
 
 
                                // Finally, add the whole setup:
@@ -338,5 +339,6 @@ $SOBE = t3lib_div::makeInstance('SC_wizard_rte');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
 
 ?>