[BUGFIX] Maintain compatibility with changed headline rendering
authorHelmut Hummel <typo3@helmut-hummel.de>
Fri, 12 Aug 2011 09:28:54 +0000 (11:28 +0200)
committerOliver Hader <oliver@typo3.org>
Fri, 12 Aug 2011 16:30:49 +0000 (18:30 +0200)
If the fontTag property is set and the dataWrap property is set to the
default value, replace the dataWrap with the fontTag property value and
disable insertData on this level (if set).

This is to retain compatibility with versions before 4.5.4 while
compatibility with modified templates (before and after 4.5.4) is still
provided.

Change-Id: Ieffeed7b7d766b0d248ed666bfef6e8f62ea1f38
Resolves: #28847
Related: #26876
Releases: 4.5, 4.4, 4.3
Reviewed-on: http://review.typo3.org/4283
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
Reviewed-by: Michael Stucki
Tested-by: Michael Stucki
tests/typo3/sysext/cms/tslib/tslib_content_testcase.php
typo3/sysext/cms/tslib/class.tslib_content.php

index 9081a7f..e74cd90 100644 (file)
@@ -49,6 +49,11 @@ class tslib_content_testcase extends tx_phpunit_testcase {
        private $tsfe;
 
        /**
+        * @var t3lib_timeTrack
+        */
+       private $timeTrack;
+
+       /**
         * @var t3lib_TStemplate
         */
        private $template;
@@ -67,6 +72,9 @@ class tslib_content_testcase extends tx_phpunit_testcase {
                $this->tsfe->config = array();
                $GLOBALS['TSFE'] = $this->tsfe;
 
+               $this->timeTrack = $this->getMock('t3lib_timeTrack');
+               $GLOBALS['TT'] = $this->timeTrack;
+
                $className = 'tslib_cObj_' . uniqid('test');
                eval('
                        class ' . $className . ' extends tslib_cObj {
@@ -85,8 +93,9 @@ class tslib_content_testcase extends tx_phpunit_testcase {
 
        public function tearDown() {
                $GLOBALS['TSFE'] = null;
+               $GLOBALS['TT'] = null;
 
-               unset($this->cObj, $this->tsfe, $this->template,$this->typoScriptImage);
+               unset($this->cObj, $this->tsfe, $this->timeTrack, $this->template,$this->typoScriptImage);
        }
 
        /**
@@ -163,5 +172,65 @@ class tslib_content_testcase extends tx_phpunit_testcase {
                        )
                );
        }
+
+       //////////////////////////////
+       // Tests concerning stdWrap
+       //////////////////////////////
+
+       /**
+        * Tests whether fontTag is replaced by dataWrap if the default
+        * css_styled_content configuration is used. This individual check
+        * is related to a security fix that would break compatibility to
+        * older TYPO3 default settings.
+        *
+        * @test
+        * @return void
+        * @see http://forge.typo3.org/issues/28847
+        */
+       public function isFontTagReplacedByDataWrapIfDefaultConfigurationIsFound() {
+               $testRegister = '{register:' . uniqid('register') . '}';
+               $testContent = uniqid('content');
+               $testToken = uniqid();
+               $configuration = array(
+                       'fontTag' => '<h1 class="' . $testToken . '">|</h1>',
+                       'dataWrap' => '<h1{register:headerStyle}{register:headerClass}>|</h1>',
+                       'insertData' => '1',
+               );
+
+               $this->timeTrack->expects($this->once())->method('setTSlogMessage');
+
+               $this->assertEquals(
+                       '<h1 class="' . $testToken . '">' . $testContent . $testRegister . '</h1>',
+                       $this->cObj->stdWrap($testContent . $testRegister, $configuration)
+               );
+       }
+
+       /**
+        * Tests whether fontTag is replaced by dataWrap if the default
+        * css_styled_content configuration is used. This individual check
+        * is related to a security fix that would break compatibility to
+        * older TYPO3 default settings.
+        *
+        * @test
+        * @return void
+        * @see http://forge.typo3.org/issues/28847
+        */
+       public function isFontTagNotReplacedByDataWrapIfIndividualConfigurationIsFound() {
+               $testRegister = '{register:' . uniqid('register') . '}';
+               $testContent = uniqid('content');
+               $testToken = uniqid();
+               $configuration = array(
+                       'fontTag' => '<h1 class="' . $testToken . '">|</h1>',
+                       'dataWrap' => '<div>|</div>',
+                       'insertData' => '1',
+               );
+
+               $this->timeTrack->expects($this->never())->method('setTSlogMessage');
+
+               $this->assertEquals(
+                       '<div><h1 class="' . $testToken . '">' . $testContent . '</h1></div>',
+                       $this->cObj->stdWrap($testContent . $testRegister, $configuration)
+               );
+       }
 }
 ?>
\ No newline at end of file
index 222470b..940c4d2 100644 (file)
@@ -3720,6 +3720,32 @@ class tslib_cObj {
                                $content = $hookObject->stdWrapPreProcess($content, $conf, $this);
                        }
 
+                               // Temporary workaround (to maintain compatibility for security fix! @see #26876)
+                               // If the fontTag property is set and the dataWrap property is set to the default value
+                               // then this indicates that we have a custom setup.
+                       if (isset($conf['fontTag']) && isset($conf['dataWrap']) && preg_match(
+                                       '|<h[0-9]\{register:headerStyle\}\{register:headerClass\}>\|</h[0-9]>|',
+                                       $conf['dataWrap']
+                               )) {
+                               // Write the fontTag property value to dataWrap like before the security fix was introduced.
+                               $conf['dataWrap'] = $conf['fontTag'];
+
+                               // Unset fontTag and insertData properties
+                               // insertData is removed because it would reintroduce the security issue which was already fixed.
+                               // In theory this may again break a site if someone really intended to let users write getData
+                               // values in the headline. However, unlike before the layout is no longer affected as only content
+                               // would change...
+                               unset($conf['fontTag']);
+                               if (isset($conf['insertData'])) {
+                                       unset($conf['insertData']);
+                               }
+
+                               // Since this is magic, log the action
+                               $message = 'For security reasons, the properties "fontTag" and "insertData" have replaced in lib.stdheader.10 with a dataWrap (see http://forge.typo3.org/issues/28847)';
+                               $GLOBALS['TT']->setTSlogMessage($message, 2);
+                               t3lib_div::sysLog($message, 'cms', t3lib_div::SYSLOG_SEVERITY_WARNING);
+                       }
+
                                // Setting current value, if so
                        if ($conf['setContentToCurrent']){$this->data[$this->currentValKey]=$content;}
                        if ($conf['setCurrent'] || $conf['setCurrent.']){$this->data[$this->currentValKey] = $this->stdWrap($conf['setCurrent'], $conf['setCurrent.']);}