Fix for the formmail issue (TYPO3-20050307-1)
authorKarsten Dambekalns <karsten.dambekalns@typo3.org>
Mon, 7 Mar 2005 15:32:37 +0000 (15:32 +0000)
committerKarsten Dambekalns <karsten.dambekalns@typo3.org>
Mon, 7 Mar 2005 15:32:37 +0000 (15:32 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@571 709f56b5-9817-0410-a4d7-c38de5d9e867

t3lib/config_default.php
typo3/sysext/cms/tslib/class.tslib_content.php
typo3/sysext/cms/tslib/class.tslib_fe.php

index d515b4b..615c689 100755 (executable)
@@ -168,6 +168,7 @@ $TYPO3_CONF_VARS = Array(
                'simulateStaticDocuments' => 0,                 // Boolean. This is the default value for simulateStaticDocuments (configurable with TypoScript which overrides this, if the TypoScript value is present)
                'noPHPscriptInclude' => 0,                              // Boolean. If set, PHP-scripts are not included by TypoScript configurations, unless they reside in 'media/scripts/'-folder. This is a security option to ensure that users with template-access do not terrorize
                'strictFormmail' => TRUE,                               // Boolean. If set, the internal "formmail" feature in TYPO3 will send mail ONLY to recipients which has been encoded by the system itself. This protects against spammers misusing the formmailer.
+               'secureFormmail' => true,                               // Boolean. If set, the internal "formmail" feature in TYPO3 will send mail ONLY to the recipients that are defined in the form CE record. This protects against spammers misusing the formmailer.
                'compressionLevel' => 0,                                // Determines output compression. Requires zlib in your php4 install. Range 1-9, where 1 is least compression (approx. 50%) and 9 is greatest compression (approx 33%). 'true' as value will set the compression based on system load (works with Linux, freebsd). Good default value is 3. For more info, see class in t3lib/class.gzip_encode.php written by Sandy McArthur, Jr. <Leknor@Leknor.com>
                'compressionDebugInfo' => 0,                    // Boolean. If set, then in the end of the pages, the sizes of the compressed and non-compressed document is output. This should be used ONLY as a test, because the content is compressed twice in order to output this statistics!
                'pageNotFound_handling' => '',                  // How TYPO3 should handle requests for non-existing/accessible pages. false (default): The 'nearest' page is shown. TRUE or '1': An TYPO3 error box is displayed. Integer > 1: Not used yet (outputs "ERROR: ###"). Strings: redirect URL, eg. 'notfound.html' or 'http://www.domain.org/errors/notfound.html'. If prefixed with "READFILE:" then it will expect the remaining string to be a HTML file which will be read and outputted directly after having the marker "###CURRENT_URL###" substituted with REQUEST_URI and ###REASON### with reason text, for example: "READFILE:fileadmin/notfound.html"
index c9655ba..93c883a 100755 (executable)
@@ -1748,6 +1748,9 @@ class tslib_cObj {
                                        break;
                                        case 'hidden':
                                                $value = trim($parts[2]);
+                                               if(strlen($value) && t3lib_div::inList('recipient_copy,recipient',$confData['fieldname']) && $GLOBALS['TYPO3_CONF_VARS']['FE']['secureFormmail']) {
+                                                 break;
+                                               }
                                                if (strlen($value) && t3lib_div::inList('recipient_copy,recipient',$confData['fieldname']))     {
                                                        $value = $GLOBALS['TSFE']->codeString($value);
                                                }
@@ -1890,7 +1893,7 @@ class tslib_cObj {
 
                        // Recipient:
                $theEmail = $this->stdWrap($conf['recipient'], $conf['recipient.']);
-               if ($theEmail)  {
+               if ($theEmail && !$GLOBALS['TYPO3_CONF_VARS']['FE']['secureFormmail'])  {
                        $theEmail = $GLOBALS['TSFE']->codeString($theEmail);
                        $hiddenfields.='<input type="hidden" name="recipient" value="'.htmlspecialchars($theEmail).'" />';
                }
@@ -1912,6 +1915,9 @@ class tslib_cObj {
                                if (substr($hF_key,-1)!='.')    {
                                        $hF_value = $this->cObjGetSingle($hF_conf,$conf['hiddenFields.'][$hF_key.'.'],'hiddenfields');
                                        if (strlen($hF_value) && t3lib_div::inList('recipient_copy,recipient',$hF_key)) {
+                                         if($GLOBALS['TYPO3_CONF_VARS']['FE']['secureFormmail']) {
+                                           continue;
+                                         }
                                                $hF_value = $GLOBALS['TSFE']->codeString($hF_value);
                                        }
                                        $hiddenfields.='<input type="hidden" name="'.$hF_key.'" value="'.htmlspecialchars($hF_value).'" />';
index 5f12de0..cde0efd 100755 (executable)
                $formmail = t3lib_div::makeInstance('t3lib_formmail');
 
                $EMAIL_VARS = t3lib_div::_POST();
+               $locationData = $EMAIL_VARS['locationData'];
                unset($EMAIL_VARS['locationData']);
                unset($EMAIL_VARS['formtype_mail']);
 
                $integrityCheck = $this->TYPO3_CONF_VARS['FE']['strictFormmail'];
 
-                       // Check recipient field:
-               $encodedFields = explode(',','recipient,recipient_copy');       // These two fields are the ones which contain recipient addresses that can be misused to send mail from foreign servers.
-               foreach($encodedFields as $fieldKey)    {
-                       if (strlen($EMAIL_VARS[$fieldKey]))     {
-                               if ($res = $this->codeString($EMAIL_VARS[$fieldKey], TRUE))     {       // Decode...
-                                       $EMAIL_VARS[$fieldKey] = $res;  // Set value if OK
-                               } elseif ($integrityCheck)      {       // Otherwise abort:
-                                       $GLOBALS['TT']->setTSlogMessage('"Formmail" discovered a field ('.$fieldKey.') which could not be decoded to a valid string. Sending formmail aborted due to security reasons!',3);
-                                       return FALSE;
-                               } else {
-                                       $GLOBALS['TT']->setTSlogMessage('"Formmail" discovered a field ('.$fieldKey.') which could not be decoded to a valid string. The security level accepts this, but you should consider a correct coding though!',2);
-                               }
-                       }
+               if(!$this->TYPO3_CONF_VARS['FE']['secureFormmail']) {
+                 // Check recipient field:
+                 $encodedFields = explode(',','recipient,recipient_copy');     // These two fields are the ones which contain recipient addresses that can be misused to send mail from foreign servers.
+                 foreach($encodedFields as $fieldKey)  {
+                   if (strlen($EMAIL_VARS[$fieldKey])) {
+                     if ($res = $this->codeString($EMAIL_VARS[$fieldKey], TRUE))       {       // Decode...
+                     $EMAIL_VARS[$fieldKey] = $res;    // Set value if OK
+                     } elseif ($integrityCheck)        {       // Otherwise abort:
+                     $GLOBALS['TT']->setTSlogMessage('"Formmail" discovered a field ('.$fieldKey.') which could not be decoded to a valid string. Sending formmail aborted due to security reasons!',3);
+                     return false;
+                     } else {
+                       $GLOBALS['TT']->setTSlogMessage('"Formmail" discovered a field ('.$fieldKey.') which could not be decoded to a valid string. The security level accepts this, but you should consider a correct coding though!',2);
+                     }
+                   }
+                 }
+               }
+               else {
+                 $locData = explode(':',$locationData);
+                 $record = $this->sys_page->checkRecord($locData[1],$locData[2],1);
+                 $EMAIL_VARS['recipient'] = $record['subheader'];
+                 $EMAIL_VARS['recipient_copy'] = $this->extractRecipientCopy($record['bodytext']);
                }
 
                        // Hook for preprocessing of the content for formmails:
        }
 
        /**
+        * Extracts the value of recipient copy field from a formmail CE bodytext
+        *
+        * @param string $bodytext The content of the related bodytext field
+        * @return string The value of the recipient_copy field, or an empty string
+        */
+       function extractRecipientCopy($bodytext) {
+         $recipient_copy = '';
+         $fdef = array();
+         //|recipient_copy=hidden|karsten@localhost.localdomain
+         preg_match('/^[\s]*\|[\s]*recipient_copy[\s]*=[\s]*hidden[\s]*\|(.*)$/m', $bodytext, $fdef);
+         $recipient_copy = (!empty($fdef[1])) ? $fdef[1] : '';
+         return $recipient_copy;
+       }
+
+       /**
         * Checks if jumpurl is set.
         * This function also takes care of jumpurl utilized by the Direct Mail module (ext: direct_mail) which may set an integer value for jumpurl which refers to a link in a certain mail-record, mid
         *