[BUGFIX] Maintain compatibility with changed headline rendering
authorHelmut Hummel <helmut.hummel@typo3.org>
Mon, 8 Aug 2011 22:21:58 +0000 (00:21 +0200)
committerOliver Hader <oliver@typo3.org>
Fri, 12 Aug 2011 16:30:32 +0000 (18:30 +0200)
If the fontTag property is set and the dataWrap property is set to the
default value, replace the dataWrap with the fontTag property value and
disable insertData on this level (if set).

This is to retain compatibility with versions before 4.5.4 while
compatibility with modified templates (before and after 4.5.4) is still
provided.

Change-Id: I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5
Resolves: #28847
Related: #26876
Releases: 4.5, 4.4, 4.3
Reviewed-on: http://review.typo3.org/4230
Reviewed-by: Michael Stucki
Tested-by: Michael Stucki
Reviewed-by: Ernesto Baschny
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
tests/typo3/sysext/cms/tslib/tslib_contentTest.php
typo3/sysext/cms/tslib/class.tslib_content.php

index b27f7fa..acf418c 100644 (file)
@@ -48,6 +48,11 @@ class tslib_contentTest extends tx_phpunit_testcase {
        private $tsfe;
 
        /**
+        * @var t3lib_timeTrack
+        */
+       private $timeTrack;
+
+       /**
         * @var t3lib_TStemplate
         */
        private $template;
@@ -76,6 +81,9 @@ class tslib_contentTest extends tx_phpunit_testcase {
                $GLOBALS['TSFE']->renderCharset = 'utf-8';
                $GLOBALS['TYPO3_CONF_VARS']['SYS']['t3lib_cs_utils'] = 'mbstring';
 
+               $this->timeTrack = $this->getMock('t3lib_timeTrack');
+               $GLOBALS['TT'] = $this->timeTrack;
+
                $className = 'tslib_cObj_' . uniqid('test');
                eval('
                        class ' . $className . ' extends tslib_cObj {
@@ -98,8 +106,9 @@ class tslib_contentTest extends tx_phpunit_testcase {
                }
 
                $GLOBALS['TSFE'] = null;
+               $GLOBALS['TT'] = null;
 
-               unset($this->cObj, $this->tsfe, $this->template, $this->typoScriptImage);
+               unset($this->cObj, $this->tsfe, $this->timeTrack, $this->template, $this->typoScriptImage);
        }
 
 
@@ -720,5 +729,65 @@ class tslib_contentTest extends tx_phpunit_testcase {
                $result = $this->cObj->numberFormat($float, $formatConf);
                $this->assertEquals($expected, $result);
        }
+
+       //////////////////////////////
+       // Tests concerning stdWrap
+       //////////////////////////////
+
+       /**
+        * Tests whether fontTag is replaced by dataWrap if the default
+        * css_styled_content configuration is used. This individual check
+        * is related to a security fix that would break compatibility to
+        * older TYPO3 default settings.
+        *
+        * @test
+        * @return void
+        * @see http://forge.typo3.org/issues/28847
+        */
+       public function isFontTagReplacedByDataWrapIfDefaultConfigurationIsFound() {
+               $testRegister = '{register:' . uniqid('register') . '}';
+               $testContent = uniqid('content');
+               $testToken = uniqid();
+               $configuration = array(
+                       'fontTag' => '<h1 class="' . $testToken . '">|</h1>',
+                       'dataWrap' => '<h1{register:headerStyle}{register:headerClass}>|</h1>',
+                       'insertData' => '1',
+               );
+
+               $this->timeTrack->expects($this->once())->method('setTSlogMessage');
+
+               $this->assertEquals(
+                       '<h1 class="' . $testToken . '">' . $testContent . $testRegister . '</h1>',
+                       $this->cObj->stdWrap($testContent . $testRegister, $configuration)
+               );
+       }
+
+       /**
+        * Tests whether fontTag is replaced by dataWrap if the default
+        * css_styled_content configuration is used. This individual check
+        * is related to a security fix that would break compatibility to
+        * older TYPO3 default settings.
+        *
+        * @test
+        * @return void
+        * @see http://forge.typo3.org/issues/28847
+        */
+       public function isFontTagNotReplacedByDataWrapIfIndividualConfigurationIsFound() {
+               $testRegister = '{register:' . uniqid('register') . '}';
+               $testContent = uniqid('content');
+               $testToken = uniqid();
+               $configuration = array(
+                       'fontTag' => '<h1 class="' . $testToken . '">|</h1>',
+                       'dataWrap' => '<div>|</div>',
+                       'insertData' => '1',
+               );
+
+               $this->timeTrack->expects($this->never())->method('setTSlogMessage');
+
+               $this->assertEquals(
+                       '<div><h1 class="' . $testToken . '">' . $testContent . '</h1></div>',
+                       $this->cObj->stdWrap($testContent . $testRegister, $configuration)
+               );
+       }
 }
 ?>
\ No newline at end of file
index 7f22d5f..a2714db 100644 (file)
@@ -1992,6 +1992,32 @@ class tslib_cObj {
                        }
                }
                if (is_array($conf) && count($conf)) {
+                               // Temporary workaround (to maintain compatibility for security fix! @see #26876)
+                               // If the fontTag property is set and the dataWrap property is set to the default value
+                               // then this indicates that we have a custom setup.
+                       if (isset($conf['fontTag']) && isset($conf['dataWrap']) && preg_match(
+                                       '|<h[0-9]\{register:headerStyle\}\{register:headerClass\}>\|</h[0-9]>|',
+                                       $conf['dataWrap']
+                               )) {
+                               // Write the fontTag property value to dataWrap like before the security fix was introduced.
+                               $conf['dataWrap'] = $conf['fontTag'];
+
+                               // Unset fontTag and insertData properties
+                               // insertData is removed because it would reintroduce the security issue which was already fixed.
+                               // In theory this may again break a site if someone really intended to let users write getData
+                               // values in the headline. However, unlike before the layout is no longer affected as only content
+                               // would change...
+                               unset($conf['fontTag']);
+                               if (isset($conf['insertData'])) {
+                                       unset($conf['insertData']);
+                               }
+
+                               // Since this is magic, log the action
+                               $message = 'For security reasons, the properties "fontTag" and "insertData" have replaced in lib.stdheader.10 with a dataWrap (see http://forge.typo3.org/issues/28847)';
+                               $GLOBALS['TT']->setTSlogMessage($message, 2);
+                               t3lib_div::sysLog($message, 'cms', t3lib_div::SYSLOG_SEVERITY_WARNING);
+                       }
+
                        // check, which of the available stdWrap functions is needed for the current conf Array
                        // and keep only those but still in the same order
                        $sortedConf = array_intersect_key($this->stdWrapOrder, $conf);