[!!!][SECURITY] Remove old wizard scripts 56/27956/7
authorHelmut Hummel <helmut.hummel@typo3.org>
Fri, 28 Feb 2014 20:38:52 +0000 (21:38 +0100)
committerHelmut Hummel <helmut.hummel@typo3.org>
Sat, 1 Mar 2014 22:29:15 +0000 (23:29 +0100)
Keeping the old wizard script would not solve
the CSRF attack vector as they could still
be referenced in this kind of attack.

Because of that, we remove them now.

This change provides a backwards compatibility
layer in FormsEngine which takes care of rewriting
URLs which have been referenced in TCA.

Also the priority is changed in code. This means
that extension authors can reference both
configurations to stay compatible with older
TYPO3 versions.

It will however break code which link to the
old scripts directly in other places.

Resolves: #56454
Releases: 6.2
Change-Id: I15f5d929f16fdd53a8b87cd32440a3d6ce59b6ed
Reviewed-on: https://review.typo3.org/27956
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
typo3/sysext/backend/Classes/Form/FormEngine.php
typo3/wizard_add.php [deleted file]
typo3/wizard_colorpicker.php [deleted file]
typo3/wizard_edit.php [deleted file]
typo3/wizard_forms.php [deleted file]
typo3/wizard_list.php [deleted file]
typo3/wizard_rte.php [deleted file]
typo3/wizard_table.php [deleted file]

index 7e7b04a..e0d4fc8 100644 (file)
@@ -4158,7 +4158,18 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
                                                                $params['md5ID'] = $md5ID;
                                                                $params['returnUrl'] = $this->thisReturnUrl();
                                                                // Resolving script filename and setting URL.
-                                                               if (isset($wConf['script'])) {
+                                                               if (isset($wConf['module']['name'])) {
+                                                                       $urlParameters = array();
+                                                                       if (isset($wConf['module']['urlParameters']) && is_array($wConf['module']['urlParameters'])) {
+                                                                               $urlParameters = $wConf['module']['urlParameters'];
+                                                                       }
+                                                                       $wScript = BackendUtility::getModuleUrl($wConf['module']['name'], $urlParameters);
+                                                               } elseif (isset($wConf['script'])) {
+                                                                       GeneralUtility::deprecationLog(
+                                                                               'The way registering a wizard in TCA has changed in 6.2. '
+                                                                               . 'Please set module[name]=module_name instead of using script=path/to/sctipt.php in your TCA. '
+                                                                               . 'The possibility to register wizards this way will be removed in 2 versions.'
+                                                                       );
                                                                        if (substr($wConf['script'], 0, 4) === 'EXT:') {
                                                                                $wScript = GeneralUtility::getFileAbsFileName($wConf['script']);
                                                                                if ($wScript) {
@@ -4168,22 +4179,36 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
                                                                                        break;
                                                                                }
                                                                        } else {
-                                                                               $wScript = $wConf['script'];
-                                                                       }
-                                                               } elseif (isset($wConf['module']['name'])) {
-                                                                       $urlParameters = array();
-                                                                       if (isset($wConf['module']['urlParameters']) && is_array($wConf['module']['urlParameters'])) {
-                                                                               $urlParameters = $wConf['module']['urlParameters'];
+                                                                               $parsedWizardUrl = parse_url($wConf['script']);
+                                                                               if (in_array($parsedWizardUrl['path'], array(
+                                                                                                       'wizard_add.php',
+                                                                                                       'wizard_colorpicker.php',
+                                                                                                       'wizard_edit.php',
+                                                                                                       'wizard_forms.php',
+                                                                                                       'wizard_list.php',
+                                                                                                       'wizard_rte.php',
+                                                                                                       'wizard_table.php',
+                                                                                               ))
+                                                                               ) {
+                                                                                       $urlParameters = array();
+                                                                                       if (isset($parsedWizardUrl['query'])) {
+                                                                                                parse_str($parsedWizardUrl['query'], $urlParameters);
+                                                                                       }
+                                                                                       $moduleName = str_replace('.php', '', $parsedWizardUrl['path']);
+                                                                                       $wScript = BackendUtility::getModuleUrl($moduleName, $urlParameters);
+                                                                                       unset($moduleName, $urlParameters, $parsedWizardUrl);
+                                                                               } else {
+                                                                                       $wScript = $wConf['script'];
+                                                                               }
                                                                        }
-                                                                       $wScript = BackendUtility::getModuleUrl($wConf['module']['name'], $urlParameters);
-                                                               } else {
+                                                               } elseif (in_array($wConf['type'], array('script', 'colorbox', 'popup'), TRUE)) {
                                                                        // Illeagal configuration, fail silently
                                                                        break;
                                                                }
 
                                                                $url = $this->backPath . $wScript . (strstr($wScript, '?') ? '' : '?');
                                                                // If "script" type, create the links around the icon:
-                                                               if ((string) $wConf['type'] == 'script') {
+                                                               if ((string) $wConf['type'] === 'script') {
                                                                        $aUrl = $url . GeneralUtility::implodeArrayForUrl('', array('P' => $params));
                                                                        $outArr[] = '<a href="' . htmlspecialchars($aUrl) . '" onclick="this.blur(); return !TBE_EDITOR.isFormChanged();">' . $icon . '</a>';
                                                                } else {
diff --git a/typo3/wizard_add.php b/typo3/wizard_add.php
deleted file mode 100644 (file)
index e3ebb4f..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to add new records to a group/select TCEform formfield
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_add instead of script=wizard_add.php in your TCA. This
-script will be removed in two versions.');
-$addController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\AddController');
-$addController->main();
diff --git a/typo3/wizard_colorpicker.php b/typo3/wizard_colorpicker.php
deleted file mode 100644 (file)
index 87e2fdf..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Colorpicker wizard
- *
- * @author Mathias Schreiber <schreiber@wmdb.de>
- * @author Peter Kühn <peter@kuehn.com>
- * @author Kasper Skårhøj <typo3@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_colorpicker instead of script=wizard_colorpicker.php in your TCA. This
-script will be removed in two versions.');
-$colorpickerController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\ColorpickerController');
-$colorpickerController->main();
-$colorpickerController->printContent();
diff --git a/typo3/wizard_edit.php b/typo3/wizard_edit.php
deleted file mode 100644 (file)
index fddcba3..0000000
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to edit records from group/select lists in TCEforms
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has changed in 6.2. Please set module[name]=wizard_edit instead of script=wizard_edit.php in your TCA. This script will be removed in two versions.');
-$editController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\EditController');
-$editController->main();
diff --git a/typo3/wizard_forms.php b/typo3/wizard_forms.php
deleted file mode 100644 (file)
index a2f32e3..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to help make forms (fx. for tt_content elements) of type 'form'.
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_forms instead of script=wizard_forms.php in your TCA. This
-script will be removed in two versions.');
-$formsController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\FormsController');
-$formsController->main();
-$formsController->printContent();
diff --git a/typo3/wizard_list.php b/typo3/wizard_list.php
deleted file mode 100644 (file)
index 010eece..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to list records from a page id.
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_list instead of script=wizard_list.php in your TCA. This
-script will be removed in two versions.');
-$listController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\ListController');
-$listController->main();
diff --git a/typo3/wizard_rte.php b/typo3/wizard_rte.php
deleted file mode 100644 (file)
index 78ee14b..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to display the RTE in "full screen" mode
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-\TYPO3\CMS\Backend\Utility\BackendUtility::lockRecords();
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_rte instead of script=wizard_rte.php in your TCA. This
-script will be removed in two versions.');
-$rteController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\RteController');
-$rteController->main();
-$rteController->printContent();
diff --git a/typo3/wizard_table.php b/typo3/wizard_table.php
deleted file mode 100644 (file)
index c06eea9..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Skårhøj (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-
-/**
- * Wizard to help make tables (eg. for tt_content elements) of type "table".
- * Each line is a table row, each cell divided by a |
- *
- * @author Kasper Skårhøj <kasperYYYY@typo3.com>
- */
-require __DIR__ . '/init.php';
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The way registering a wizard in TCA has chan
-ged in 6.2. Please set module[name]=wizard_table instead of script=wizard_table.php in your TCA. This
-script will be removed in two versions.');
-/** @var \TYPO3\CMS\Backend\Controller\Wizard\TableController $tableController */
-$tableController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\Wizard\\TableController');
-$tableController->main();
-$tableController->printContent();