[BUGFIX] Check for not allowed file extensions in element browser 96/36496/8
authorArmin Ruediger Vieweg <armin@v.ieweg.de>
Fri, 30 Jan 2015 18:45:14 +0000 (19:45 +0100)
committerSascha Egerer <sascha@sascha-egerer.de>
Sun, 1 Feb 2015 13:04:41 +0000 (14:04 +0100)
When adding files from element browser, an additional check
will ensure that files with extensions that are not allowed
in TCA configuration can no longer be added.

Resolves: #64621
Releases: master
Change-Id: I43adc9292a34391a3e0c7c9f5c476aa399565e44
Reviewed-on: http://review.typo3.org/36496
Reviewed-by: Sascha Egerer <sascha@sascha-egerer.de>
Tested-by: Sascha Egerer <sascha@sascha-egerer.de>
typo3/sysext/backend/Classes/Form/Element/InlineElement.php
typo3/sysext/backend/Tests/Unit/Form/Element/InlineElementTest.php

index f82d0cf..0c1c7ad 100644 (file)
@@ -1263,6 +1263,11 @@ class InlineElement {
                        // For a selector of type group/db, prepend the tablename (<tablename>_<uid>):
                        $record[$config['foreign_selector']] = $selConfig['type'] != 'groupdb' ? '' : $selConfig['table'] . '_';
                        $record[$config['foreign_selector']] .= $foreignUid;
+                       $fileRecord = $this->getRecord(0, $selConfig['table'], $foreignUid);
+
+                       if (!$this->checkFileTypeAccessForField($selConfig, $fileRecord)) {
+                               return $this->getErrorMessageForAJAX('File extension ' . $fileRecord['extension'] . ' is not allowed here!');
+                       }
                }
                // The HTML-object-id's prefix of the dynamically created record
                $objectPrefix = $this->inlineNames['object'] . self::Structure_Separator . $current['table'];
@@ -1304,6 +1309,27 @@ class InlineElement {
                return $jsonArray;
        }
 
+       /**
+        * Checks if a record selector may select a certain file type
+        *
+        * @param array $selectorConfiguration
+        * @param array $fileRecord
+        * @return bool
+        */
+       protected function checkFileTypeAccessForField(array $selectorConfiguration, array $fileRecord) {
+               if (isset($selectorConfiguration['PA']['fieldConf']['config']['appearance']['elementBrowserAllowed'])) {
+                       $allowedFileExtensions = GeneralUtility::trimExplode(
+                               ',',
+                               $selectorConfiguration['PA']['fieldConf']['config']['appearance']['elementBrowserAllowed'],
+                               TRUE
+                       );
+                       if (!in_array($fileRecord['extension'], $allowedFileExtensions, TRUE)) {
+                               return FALSE;
+                       }
+               }
+               return TRUE;
+       }
+
        /**
         * Handle AJAX calls to localize all records of a parent, localize a single record or to synchronize with the original language parent.
         *
index 160c188..0fb68e0 100644 (file)
@@ -50,6 +50,11 @@ class InlineElementTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                $this->assertEquals($expectedInlineNames, $this->subject->inlineNames);
        }
 
+       /**
+        * Provide structure for DataProvider tests
+        *
+        * @return array
+        */
        public function pushStructureFillsInlineStructureDataProvider() {
                return array(
                        'regular field' => array(
@@ -322,4 +327,43 @@ class InlineElementTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                );
        }
 
+       /**
+        * Checks if the given filetype may be uploaded without *ANY* limit to
+        * filetypes being given
+        *
+        * @test
+        */
+       public function checkFileTypeAccessForFieldForFieldNoFiletypesReturnsTrue(){
+               $selectorData = array();
+               $fileData['extension'] = 'png';
+               $mockObject = $this->getAccessibleMock(\TYPO3\CMS\Backend\Form\Element\InlineElement::class, array('dummy'));
+               $mayUploadFile = $mockObject->_call('checkFileTypeAccessForField', $selectorData, $fileData);
+               $this->assertTrue($mayUploadFile);
+       }
+
+       /**
+        * Checks if the given filetype may be uploaded and the given filetype is *NOT*
+        * in the list of allowed files
+        * @test
+        */
+       public function checkFileTypeAccessForFieldFiletypesSetRecordTypeNotInListReturnsFalse(){
+               $selectorData['PA']['fieldConf']['config']['appearance']['elementBrowserAllowed'] = 'doc, png, jpg, tiff';
+               $fileData['extension'] = 'php';
+               $mockObject = $this->getAccessibleMock(\TYPO3\CMS\Backend\Form\Element\InlineElement::class, array('dummy'));
+               $mayUploadFile = $mockObject->_call('checkFileTypeAccessForField', $selectorData, $fileData);
+               $this->assertFalse($mayUploadFile);
+       }
+
+       /**
+        * Checks if the given filetype may be uploaded and the given filetype *is*
+        * in the list of allowed files
+        * @test
+        */
+       public function checkFileTypeAccessForFieldFiletypesSetRecordTypeInListReturnsTrue(){
+               $selectorData['PA']['fieldConf']['config']['appearance']['elementBrowserAllowed'] = 'doc, png, jpg, tiff';
+               $fileData['extension'] = 'png';
+               $mockObject = $this->getAccessibleMock(\TYPO3\CMS\Backend\Form\Element\InlineElement::class, array('dummy'));
+               $mayUploadFile = $mockObject->_call('checkFileTypeAccessForField', $selectorData, $fileData);
+               $this->assertTrue($mayUploadFile);
+       }
 }