[TASK] Remove compatiblity code added for security release 63/50863/3
authorHelmut Hummel <info@helhum.io>
Fri, 2 Dec 2016 22:52:07 +0000 (23:52 +0100)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Sat, 3 Dec 2016 16:21:17 +0000 (17:21 +0100)
Remove the overhead that was added to avoid BC breaks for
extension code that subclassed the form view helper.

Enough time is now passed so that extensions can adopt their
subclasses so that the security related hidden field is added as well.

These adaptions will then be compatible with all TYPO3 versions
so that this change here is not marked as breaking.

Resolves: #78869
Releases: master
Change-Id: I910bc26cd57b7629e57332fdab3d57032f0c2478
Reviewed-on: https://review.typo3.org/50863
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php

index 7d3abc3..e8db124 100644 (file)
@@ -158,7 +158,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
         $content .= $this->renderHiddenIdentityField($this->arguments['object'], $this->getFormObjectName());
         $content .= $this->renderAdditionalIdentityFields();
         $content .= $this->renderHiddenReferrerFields();
-        $content .= $this->renderHiddenSecuredReferrerField();
 
         // Render the trusted list of all properties after everything else has been rendered
         $content .= $this->renderTrustedPropertiesField();
@@ -171,7 +170,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
         $this->removeFormObjectNameFromViewHelperVariableContainer();
         $this->removeFormFieldNamesFromViewHelperVariableContainer();
         $this->removeCheckboxFieldNamesFromViewHelperVariableContainer();
-        $this->removeSecuredHiddenFieldsRenderedFromViewHelperVariableContainer();
         return $this->tag->render();
     }
 
@@ -243,46 +241,23 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
         $vendorName = $request->getControllerVendorName();
         $controllerName = $request->getControllerName();
         $actionName = $request->getControllerActionName();
+        $actionRequest = [
+            '@extension' => $extensionName,
+            '@controller' => $controllerName,
+            '@action' => $actionName,
+        ];
+
         $result = LF;
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@extension]') . '" value="' . $extensionName . '" />' . LF;
         if ($vendorName !== null) {
             $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@vendor]') . '" value="' . $vendorName . '" />' . LF;
+            $actionRequest['@vendor'] = $vendorName;
         }
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@controller]') . '" value="' . $controllerName . '" />' . LF;
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@action]') . '" value="' . $actionName . '" />' . LF;
         $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[arguments]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(base64_encode(serialize($request->getArguments())))) . '" />' . LF;
-        $result .= $this->renderHiddenSecuredReferrerField();
-
-        return $result;
-    }
+        $result .= '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(serialize($actionRequest))) . '" />' . LF;
 
-    /**
-     * Renders hidden form field for secured referrer information about the current controller and action.
-     *
-     * This method is called twice, to deal with subclasses of this class in a most compatible way
-     *
-     * @return string Hidden field with secured referrer information
-     */
-    protected function renderHiddenSecuredReferrerField()
-    {
-        if ($this->hasSecuredHiddenFieldsRendered()) {
-            return '';
-        }
-        $request = $this->renderingContext->getControllerContext()->getRequest();
-        $extensionName = $request->getControllerExtensionName();
-        $vendorName = $request->getControllerVendorName();
-        $controllerName = $request->getControllerName();
-        $actionName = $request->getControllerActionName();
-        $actionRequest = [
-            '@extension' => $extensionName,
-            '@controller' => $controllerName,
-            '@action' => $actionName,
-        ];
-        if ($vendorName !== null) {
-            $actionRequest['@vendor'] = $vendorName;
-        }
-        $result = '<input type="hidden" name="' . $this->prefixFieldName('__referrer[@request]') . '" value="' . htmlspecialchars($this->hashService->appendHmac(serialize($actionRequest))) . '" />' . LF;
-        $this->addSecuredHiddenFieldsRenderedToViewHelperVariableContainer();
         return $result;
     }
 
@@ -399,32 +374,6 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
     }
 
     /**
-     * Adds flag to indicate the secured hidden fields have been rendered to the ViewHelperVariableContainer
-     */
-    protected function addSecuredHiddenFieldsRenderedToViewHelperVariableContainer()
-    {
-        $this->viewHelperVariableContainer->add(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered', true);
-    }
-
-    /**
-     * Checks whether the secured hidden fields have been rendered
-     *
-     * @return bool
-     */
-    protected function hasSecuredHiddenFieldsRendered()
-    {
-        return $this->viewHelperVariableContainer->exists(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered');
-    }
-
-    /**
-     * Removes flag to indicate the secured hidden fields have been rendered from the ViewHelperVariableContainer
-     */
-    protected function removeSecuredHiddenFieldsRenderedFromViewHelperVariableContainer()
-    {
-        $this->viewHelperVariableContainer->remove(\TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::class, 'securedHiddenFieldsRendered');
-    }
-
-    /**
      * Render the request hash field
      *
      * @return string the hmac field