[!!!][TASK] Remove config.lockFilePath functionality 74/54974/5
authorBenni Mack <benni@typo3.org>
Thu, 7 Dec 2017 20:44:05 +0000 (21:44 +0100)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 8 Dec 2017 15:01:16 +0000 (16:01 +0100)
When using the stdWrap.filelist functionality, the lockFilePath
only allowed to be used for a certain directory (usually, if not set, it
was set to fileadmin/), however, this is both very unsecure and inflexible.

Thus, stdWrap.filelist is extended to be used with all local FAL storages.

Add the same time, the public property TSFE->lockFilePath and the TypoScript
option "config.lockFilePath" is removed.

Resolves: #83256
Releases: master
Change-Id: Ia86c6686128dae4c0870cd15e019f4d53a4b28b6
Reviewed-on: https://review.typo3.org/54974
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Daniel Gorges <daniel.gorges@b13.de>
Tested-by: Daniel Gorges <daniel.gorges@b13.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
typo3/sysext/core/Documentation/Changelog/master/Breaking-83256-RemovedLockFilePathFunctionality.rst [new file with mode: 0644]
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
typo3/sysext/install/Configuration/ExtensionScanner/Php/MethodCallMatcher.php
typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
typo3/sysext/t3editor/Resources/Private/tsref.xml
typo3/sysext/t3editor/Resources/Public/JavaScript/Mode/typoscript/typoscript.js

diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-83256-RemovedLockFilePathFunctionality.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-83256-RemovedLockFilePathFunctionality.rst
new file mode 100644 (file)
index 0000000..c3acf3a
--- /dev/null
@@ -0,0 +1,51 @@
+.. include:: ../../Includes.txt
+
+=====================================================
+Breaking: #83256 - Removed lockFilePath functionality
+=====================================================
+
+See :issue:`83256`
+
+Description
+===========
+
+The TypoScript option :typoscript:`config.lockFilePath` has been removed, which was possible to allow TypoScript
+:typoscript:`stdWrap.filelist` to use a different base directory than fileadmin/ (which was the default).
+
+However, :typoscript:`stdWrap.filelist` now checks for valid local FAL storages (File Abstraction Layer), which can
+now be used if multiple storages are in use.
+
+Thus, the following PHP property has been removed:
+
+* :php:`TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->lockFilePath
+
+The following PHP method has been removed:
+
+* :php:`TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->clean_directory()`
+
+
+Impact
+======
+
+Setting :typoscript:`config.lockFilePath` has no effect anymore.
+
+Accessing or setting :php:`TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->lockFilePath` will trigger
+a PHP notice.
+
+Calling :php:`TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->clean_directory()` will trigger a PHP fatal error.
+
+
+Affected Installations
+======================
+
+Any installation using the PHP method/property or having config.lockFilePath set to a specific non-FAL folder,
+and using stdWrap.filelist functionality.
+
+
+Migration
+=========
+
+If the TypoScript option was set to a different folder than a FAL storage, ensure to set a local FAL storage
+to this folder.
+
+.. index:: Frontend, TypoScript, PartiallyScanned
index 754b0ac..83fb59a 100644 (file)
@@ -37,6 +37,7 @@ use TYPO3\CMS\Core\Resource\FileReference;
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Resource\StorageRepository;
 use TYPO3\CMS\Core\Service\DependencyOrderingService;
 use TYPO3\CMS\Core\Service\MarkerBasedTemplateService;
 use TYPO3\CMS\Core\TimeTracker\TimeTracker;
@@ -3067,15 +3068,28 @@ class ContentObjectRenderer
         if ($data === '') {
             return '';
         }
-        $data_arr = explode('|', $data);
+        list($possiblePath, $ext_list, $sorting, $reverse, $useFullPath) = GeneralUtility::trimExplode('|', $data);
         // read directory:
         // MUST exist!
         $path = '';
-        if ($this->getTypoScriptFrontendController()->lockFilePath) {
-            // Cleaning name..., only relative paths accepted.
-            $path = $this->clean_directory($data_arr[0]);
-            // See if path starts with lockFilePath, the additional '/' is needed because clean_directory gets rid of it
-            $path = GeneralUtility::isFirstPartOfStr($path . '/', $this->getTypoScriptFrontendController()->lockFilePath) ? $path : '';
+        // proceeds if no '//', '..' or '\' is in the $theFile
+        if (GeneralUtility::validPathStr($possiblePath)) {
+            // Removes all dots, slashes and spaces after a path.
+            $possiblePath = preg_replace('/[\\/\\. ]*$/', '', $possiblePath);
+            if (!GeneralUtility::isAbsPath($possiblePath) && @is_dir($possiblePath)) {
+                // Now check if it matches one of the FAL storages
+                $storageRepository = GeneralUtility::makeInstance(StorageRepository::class);
+                $storages = $storageRepository->findAll();
+                foreach ($storages as $storage) {
+                    if ($storage->getDriverType() === 'Local' && $storage->isPublic() && $storage->isOnline()) {
+                        $folder = $storage->getPublicUrl($storage->getRootLevelFolder(), true);
+                        if (GeneralUtility::isFirstPartOfStr($possiblePath . '/', $folder)) {
+                            $path = $possiblePath;
+                            break;
+                        }
+                    }
+                }
+            }
         }
         if (!$path) {
             return '';
@@ -3084,8 +3098,7 @@ class ContentObjectRenderer
             'files' => [],
             'sorting' => []
         ];
-        $ext_list = strtolower(GeneralUtility::uniqueList($data_arr[1]));
-        $sorting = trim($data_arr[2]);
+        $ext_list = strtolower(GeneralUtility::uniqueList($ext_list));
         // Read dir:
         $d = @dir($path);
         if (is_object($d)) {
@@ -3126,7 +3139,7 @@ class ContentObjectRenderer
         }
         // Sort if required
         if (!empty($items['sorting'])) {
-            if (strtolower(trim($data_arr[3])) !== 'r') {
+            if (strtolower($reverse) !== 'r') {
                 asort($items['sorting']);
             } else {
                 arsort($items['sorting']);
@@ -3135,10 +3148,9 @@ class ContentObjectRenderer
         if (!empty($items['files'])) {
             // Make list
             reset($items['sorting']);
-            $fullPath = trim($data_arr[4]);
             $list_arr = [];
             foreach ($items['sorting'] as $key => $v) {
-                $list_arr[] = $fullPath ? $path . '/' . $items['files'][$key] : $items['files'][$key];
+                $list_arr[] = $useFullPath ? $path . '/' . $items['files'][$key] : $items['files'][$key];
             }
             return implode(',', $list_arr);
         }
@@ -3146,27 +3158,6 @@ class ContentObjectRenderer
     }
 
     /**
-     * Cleans $theDir for slashes in the end of the string and returns the new path, if it exists on the server.
-     *
-     * @param string $theDir Absolute path to directory
-     * @return string The directory path if it existed as was valid to access.
-     * @access private
-     * @see filelist()
-     */
-    public function clean_directory($theDir)
-    {
-        // proceeds if no '//', '..' or '\' is in the $theFile
-        if (GeneralUtility::validPathStr($theDir)) {
-            // Removes all dots, slashes and spaces after a path...
-            $theDir = preg_replace('/[\\/\\. ]*$/', '', $theDir);
-            if (!GeneralUtility::isAbsPath($theDir) && @is_dir($theDir)) {
-                return $theDir;
-            }
-        }
-        return '';
-    }
-
-    /**
      * Passes the input value, $theValue, to an instance of "\TYPO3\CMS\Core\Html\HtmlParser"
      * together with the TypoScript options which are first converted from a TS style array
      * to a set of arrays with options for the \TYPO3\CMS\Core\Html\HtmlParser class.
index 06f0bc9..ab205b4 100644 (file)
@@ -483,12 +483,6 @@ class TypoScriptFrontendController implements LoggerAwareInterface
     public $absRefPrefix = '';
 
     /**
-     * Lock file path
-     * @var string
-     */
-    public $lockFilePath = '';
-
-    /**
      * <A>-tag parameters
      * @var string
      */
@@ -3208,8 +3202,6 @@ class TypoScriptFrontendController implements LoggerAwareInterface
         } else {
             $this->absRefPrefix = '';
         }
-        $this->lockFilePath = '' . $this->config['config']['lockFilePath'];
-        $this->lockFilePath = $this->lockFilePath ?: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'];
         $this->ATagParams = trim($this->config['config']['ATagParams']) ? ' ' . trim($this->config['config']['ATagParams']) : '';
         $this->initializeSearchWordDataInTsfe();
         // linkVars
index d18ce5c..8e5988f 100644 (file)
@@ -1521,4 +1521,11 @@ return [
             'Breaking-83122-RemovedStdWrapOptionTCAselectItem.rst',
         ],
     ],
+    'TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->clean_directory' => [
+        'numberOfMandatoryArguments' => 0,
+        'maximumNumberOfArguments' => 0,
+        'restFiles' => [
+            'Breaking-83256-RemovedLockFilePathFunctionality.rst',
+        ],
+    ],
 ];
index 3909923..9532841 100644 (file)
@@ -219,6 +219,11 @@ return [
             'Breaking-81460-DeprecateGetByTagOnCacheFrontends.rst',
         ],
     ],
+    'TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->lockFilePath' => [
+        'restFiles' => [
+            'Breaking-83256-RemovedLockFilePathFunctionality.rst',
+        ],
+    ],
 
     // Deprecated public properties
     'TYPO3\CMS\Frontend\Page\PageRepository->workspaceCache' => [
index f2ccb93..dc5c431 100644 (file)
@@ -541,11 +541,6 @@ locale_all = da_DK]]></description>
                        <default><![CDATA[
 ]]></default>
                </property>
-               <property name="lockFilePath" type="string">
-                       <description><![CDATA[This is used to lock paths to be "inside" this path.
-Used by "filelist" in stdWrap]]></description>
-                       <default><![CDATA[fileadmin/]]></default>
-               </property>
                <property name="message_page_is_being_generated" type="string">
                        <description><![CDATA[Alternative HTML message that appears if a page is being generated.
 Normally when a page is being generated a temporary copy is stored in the cache-table with an expire-time of 30 seconds.
index e45785d..261b124 100644 (file)
                                'locale_all': kw('locale_all'),
                                'localNesting': kw('localNesting'),
                                'locationData': kw('locationData'),
-                               'lockFilePath': kw('lockFilePath'),
                                'lockToIP': kw('lockToIP'),
                                'login': B,
                                'loginUser': A,