(minor) Fixed bug #6138: Prevent recursive inclusion of external TypoScript files...
authorMichael Stucki <michael.stucki@typo3.org>
Mon, 15 Oct 2007 15:03:50 +0000 (15:03 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Mon, 15 Oct 2007 15:03:50 +0000 (15:03 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@2551 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_tsparser.php
t3lib/class.t3lib_tsparser_ext.php

index 6365812..8ae0bc4 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2007-10-15  Michael Stucki  <michael@typo3.org>
 
        * (feature) Add new external library "RemoveXSS" for easily filtering potential Cross Site Scripting (XSS) attacks. Can be used by any script. Usage: $filtered_string = t3lib_div::removeXSS($input_string); Thanks to Travis Puderbaugh <kallahar@quickwired.com> for providing this nice piece of code!
+       * (minor) Fixed bug #6138: Prevent recursive inclusion of external TypoScript files (patch by Martin Ficzel)
 
 2007-10-13  Ingo Renner  <ingo@typo3.org>
 
index ea22bf7..d667740 100755 (executable)
@@ -96,6 +96,7 @@ class t3lib_TSparser {
        var $syntaxHighLight = 0;               // If set, then syntax highlight mode is on; Call the function syntaxHighlight() to use this function
        var $highLightData=array();             // Syntax highlight data is accumulated in this array. Used by syntaxHighlight_print() to construct the output.
        var $highLightData_bracelevel = array();        // Syntax highlight data keeping track of the curly brace level for each line
+       var $includedFiles = array();   // Keeps track of the TypoScript files that were included by e.g. <INCLUDE_TYPOSCRIPT: source="FILE:include.ts">
 
                // Debugging, analysis:
        var $regComments = 0;                   // DO NOT register the comments. This is default for the ordinary sitetemplate!
@@ -514,10 +515,17 @@ class t3lib_TSparser {
                                                        switch(strtolower(trim($sourceParts[0])))       {
                                                                case 'file':
                                                                        $filename = t3lib_div::getFileAbsFileName(trim($sourceParts[1]));
-                                                                       if (strcmp($filename,''))       {       // Must exist and must not contain '..' and must be relative
-                                                                               if (@is_file($filename) && filesize($filename)<100000)  {       // Max. 100 KB include files!
-                                                                                       $newString.=t3lib_div::getUrl($filename).chr(10);
+                                                                       if (!isset($this->includedFiles[$filename])) {
+                                                                               if (strcmp($filename,''))       {       // Must exist and must not contain '..' and must be relative
+                                                                                       if (@is_file($filename) && filesize($filename)<100000)  {       // Max. 100 KB include files!
+                                                                                               $this->includedFiles[$filename] = 1;
+                                                                                                       // check for includes in included text
+                                                                                               $included_text = t3lib_TSparser::checkIncludeLines(t3lib_div::getUrl($filename));
+                                                                                               $newString.= $included_text.chr(10);
+                                                                                       }
                                                                                }
+                                                                       } else {
+                                                                               t3lib_div::sysLog('It appears like TypoScript code is looping over itself. Check your templates for "'.htmlspecialchars('<INCLUDE_TYPOSCRIPT:'.$subparts[0].'>').'"','Core',2);
                                                                        }
                                                                break;
                                                        }
index 7c99503..8100a09 100755 (executable)
@@ -448,10 +448,12 @@ class t3lib_tsparser_ext extends t3lib_TStemplate {
                                        }
                                        if ($this->ext_regComments && isset($arr[$key.'..']))   {
                                                $comment = $arr[$key.'..'];
-                                               $comment = preg_replace('/[\r\n]/', ' ', $comment);     // Remove linebreaks, replace with " "
-                                               $comment = preg_replace('/[#\*]{2,}/', '', $comment);   // Remove # and * if more than twice in a row
-                                               $comment = preg_replace('/^[#\*\s]+/', '# ', $comment); // Replace leading # (just if it exists) and add it again. Result: Every comment should be prefixed by a "#".
-                                               $HTML.= ' <span class="comment">'.trim($comment).'</span>';
+                                               if (!preg_match('/### <INCLUDE_TYPOSCRIPT:.*/', $comment)) {    // Skip INCLUDE_TYPOSCRIPT comments, they are almost useless
+                                                       $comment = preg_replace('/[\r\n]/', ' ', $comment);     // Remove linebreaks, replace with " "
+                                                       $comment = preg_replace('/[#\*]{2,}/', '', $comment);   // Remove # and * if more than twice in a row
+                                                       $comment = preg_replace('/^[#\*\s]+/', '# ', $comment); // Replace leading # (just if it exists) and add it again. Result: Every comment should be prefixed by a "#".
+                                                       $HTML.= ' <span class="comment">'.trim($comment).'</span>';
+                                               }
                                        }
                                }
                                $HTML.="<br />";