Commit 7e90dbcb authored by Tymoteusz Motylewski's avatar Tymoteusz Motylewski Committed by Benni Mack
Browse files

[!!!][TASK] Remove vC checks and deprecate veriCode() method

Since now all Backend urls have module token in place,
the veriCode is not needed any more.
Thus AbstractUserAuthentication::veriCode() is marked as deprecated,
vC parameter is not checked any more
and vC property is removed from some controllers.

Resolves: #79327
Releases: master
Change-Id: I47e459d95e8f561dcc933a832d22c86ed02aa707
Reviewed-on: https://review.typo3.org/51317

Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
parent 02b97c45
......@@ -62,7 +62,7 @@ class ClearCacheToolbarItem implements ToolbarItemInterface
'id' => 'pages',
'title' => htmlspecialchars($languageService->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:flushPageCachesTitle')),
'description' => htmlspecialchars($languageService->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:flushPageCachesDescription')),
'href' => BackendUtility::getModuleUrl('tce_db', ['vC' => $backendUser->veriCode(), 'cacheCmd' => 'pages']),
'href' => BackendUtility::getModuleUrl('tce_db', ['cacheCmd' => 'pages']),
'icon' => $this->iconFactory->getIcon('actions-system-cache-clear-impact-low', Icon::SIZE_SMALL)->render()
];
$this->optionValues[] = 'pages';
......@@ -76,7 +76,7 @@ class ClearCacheToolbarItem implements ToolbarItemInterface
'id' => 'all',
'title' => htmlspecialchars($languageService->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:flushAllCachesTitle2')),
'description' => htmlspecialchars($languageService->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:flushAllCachesDescription2')),
'href' => BackendUtility::getModuleUrl('tce_db', ['vC' => $backendUser->veriCode(), 'cacheCmd' => 'all']),
'href' => BackendUtility::getModuleUrl('tce_db', ['cacheCmd' => 'all']),
'icon' => $this->iconFactory->getIcon('actions-system-cache-clear-impact-high', Icon::SIZE_SMALL)->render()
];
$this->optionValues[] = 'all';
......
......@@ -809,7 +809,7 @@ class ClickMenu
. '+top.rawurlencode(' . $this->frameLocation($loc . '.document') . '.pathname+'
. $this->frameLocation($loc . '.document') . '.search)+'
. GeneralUtility::quoteJSvalue(
'&cmd[' . $table . '][' . $uid . '][delete]=1&prErr=1&vC=' . $this->backendUser->veriCode()
'&cmd[' . $table . '][' . $uid . '][delete]=1&prErr=1'
)
. ';';
......@@ -925,7 +925,7 @@ class ClickMenu
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation($loc . '.document') . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&data[' . $table . '][' . $uid . '][' . $flagField . ']=' . ($rec[$flagField] ? 0 : 1) . '&prErr=1&vC=' . $this->backendUser->veriCode()
'&data[' . $table . '][' . $uid . '][' . $flagField . ']=' . ($rec[$flagField] ? 0 : 1) . '&prErr=1'
) . ';};';
if ($table === 'pages') {
$editOnClick .= 'top.TYPO3.Backend.NavigationContainer.PageTree.refreshTree.defer(500);';
......@@ -1143,7 +1143,7 @@ class ClickMenu
. '+top.rawurlencode(' . $this->frameLocation(($loc . '.document'))
. '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&file[delete][0][data]=' . rawurlencode($path) . '&vC=' . $this->backendUser->veriCode()
'&file[delete][0][data]=' . rawurlencode($path)
);
if ($this->backendUser->jsConfirmation(JsConfirmation::DELETE)) {
$fileOrFolderObject = ResourceFactory::getInstance()->retrieveFileOrFolderObject($path);
......@@ -1296,8 +1296,7 @@ class ClickMenu
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1&vC=' .
$this->backendUser->veriCode()
'&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1'
) . ';};';
return $this->linkItem(
$this->label($action . 'Page_' . $into),
......@@ -1322,8 +1321,7 @@ class ClickMenu
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_file') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1&vC=' .
$this->backendUser->veriCode()
'&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1'
) . ';};';
return $this->linkItem(
$this->label($action . 'Folder_into'),
......
......@@ -609,7 +609,6 @@ class Clipboard
public function pasteUrl($table, $uid, $setRedirect = true, array $update = null)
{
$urlParameters = [
'vC' => $this->getBackendUser()->veriCode(),
'prErr' => 1,
'uPT' => 1,
'CB[paste]' => $table . '|' . $uid,
......@@ -634,7 +633,6 @@ class Clipboard
public function deleteUrl($setRedirect = 1, $file = 0)
{
$urlParameters = [
'vC' => $this->getBackendUser()->veriCode(),
'prErr' => 1,
'uPT' => 1,
'CB[delete]' => 1,
......
......@@ -152,11 +152,6 @@ class EditDocumentController extends AbstractModule
*/
public $returnNewPageId;
/**
* @var string
*/
public $vC;
/**
* update BE_USER->uc
*
......@@ -528,7 +523,6 @@ class EditDocumentController extends AbstractModule
$this->cacheCmd = GeneralUtility::_GP('cacheCmd');
$this->redirect = GeneralUtility::_GP('redirect');
$this->returnNewPageId = GeneralUtility::_GP('returnNewPageId');
$this->vC = GeneralUtility::_GP('vC');
// See tce_db.php for relevate options here:
// Only options related to $this->data submission are included here.
/** @var $tce \TYPO3\CMS\Core\DataHandling\DataHandler */
......@@ -562,7 +556,6 @@ class EditDocumentController extends AbstractModule
$refInfo = parse_url(GeneralUtility::getIndpEnv('HTTP_REFERER'));
$httpHost = GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY');
if ($httpHost != $refInfo['host']
&& $this->vC != $beUser->veriCode()
&& !$GLOBALS['TYPO3_CONF_VARS']['SYS']['doNotCheckReferer']
) {
$tce->log(
......@@ -571,7 +564,7 @@ class EditDocumentController extends AbstractModule
0,
0,
1,
'Referer host \'%s\' and server host \'%s\' did not match and veriCode was not valid either!',
'Referer host \'%s\' and server host \'%s\' did not match!',
1,
[$refInfo['host'], $httpHost]
);
......@@ -793,7 +786,7 @@ class EditDocumentController extends AbstractModule
}
}
function deleteRecord(table,id,url) { //
window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&cmd[') . '+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC=' . $beUser->veriCode() . '&prErr=1&uPT=1";
window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&cmd[') . '+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&prErr=1&uPT=1";
}
';
......
......@@ -55,14 +55,6 @@ class FileController
*/
protected $overwriteExistingFiles;
/**
* VeriCode - a hash of server specific value and other things which
* identifies if a submission is OK. (see $GLOBALS['BE_USER']->veriCode())
*
* @var string
*/
protected $vC;
/**
* The page where the user should be redirected after everything is done
*
......@@ -105,7 +97,6 @@ class FileController
$this->file = GeneralUtility::_GP('file');
$this->CB = GeneralUtility::_GP('CB');
$this->overwriteExistingFiles = DuplicationBehavior::cast(GeneralUtility::_GP('overwriteExistingFiles'));
$this->vC = GeneralUtility::_GP('vC');
$this->redirect = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GP('redirect'));
$this->initClipboard();
$this->fileProcessor = GeneralUtility::makeInstance(ExtendedFileUtility::class);
......@@ -146,7 +137,7 @@ class FileController
// Checking referrer / executing:
$refInfo = parse_url(GeneralUtility::getIndpEnv('HTTP_REFERER'));
$httpHost = GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY');
if ($httpHost !== $refInfo['host'] && $this->vC !== $this->getBackendUser()->veriCode() && !$GLOBALS['TYPO3_CONF_VARS']['SYS']['doNotCheckReferer']) {
if ($httpHost !== $refInfo['host'] && !$GLOBALS['TYPO3_CONF_VARS']['SYS']['doNotCheckReferer']) {
$this->fileProcessor->writeLog(0, 2, 1, 'Referrer host "%s" and server host "%s" did not match!', [$refInfo['host'], $httpHost]);
} else {
$this->fileProcessor->start($this->file);
......
......@@ -763,7 +763,7 @@ class PageLayoutController
' . ($this->popView ? BackendUtility::viewOnClick($this->id, '', BackendUtility::BEgetRootLine($this->id)) : '') . '
function deleteRecord(table,id,url) { //
window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&cmd[')
. ' + table + "][" + id + "][delete]=1&redirect=" + encodeURIComponent(url) + "&vC=' . $this->getBackendUser()->veriCode() . '&prErr=1&uPT=1";
. ' + table + "][" + id + "][delete]=1&redirect=" + encodeURIComponent(url) + "&prErr=1&uPT=1";
return false;
}
');
......
......@@ -91,13 +91,6 @@ class SimpleDataHandlerController
*/
public $CB;
/**
* Verification code
*
* @var string
*/
public $vC;
/**
* Boolean. Update Page Tree Trigger. If set and the manipulated records are pages then the update page tree signal will be set.
*
......@@ -138,7 +131,6 @@ class SimpleDataHandlerController
$this->redirect = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GP('redirect'));
$this->prErr = GeneralUtility::_GP('prErr');
$this->CB = GeneralUtility::_GP('CB');
$this->vC = GeneralUtility::_GP('vC');
$this->uPT = GeneralUtility::_GP('uPT');
// Creating DataHandler object
$this->tce = GeneralUtility::makeInstance(DataHandler::class);
......@@ -204,8 +196,8 @@ class SimpleDataHandlerController
// Checking referer / executing
$refInfo = parse_url(GeneralUtility::getIndpEnv('HTTP_REFERER'));
$httpHost = GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY');
if ($httpHost != $refInfo['host'] && $this->vC != $this->getBackendUser()->veriCode() && !$GLOBALS['TYPO3_CONF_VARS']['SYS']['doNotCheckReferer']) {
$this->tce->log('', 0, 0, 0, 1, 'Referer host "%s" and server host "%s" did not match and veriCode was not valid either!', 1, [$refInfo['host'], $httpHost]);
if ($httpHost != $refInfo['host'] && !$GLOBALS['TYPO3_CONF_VARS']['SYS']['doNotCheckReferer']) {
$this->tce->log('', 0, 0, 0, 1, 'Referer host "%s" and server host "%s" did not match!', 1, [$refInfo['host'], $httpHost]);
} else {
// Register uploaded files
$this->tce->process_uploads($_FILES);
......
......@@ -41,7 +41,7 @@ class PageMovingPagePositionMap extends PagePositionMap
*/
public function onClickEvent($pid, $newPagePID)
{
return 'window.location.href=' . \TYPO3\CMS\Core\Utility\GeneralUtility::quoteJSvalue(\TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('tce_db') . '&cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&redirect=' . rawurlencode($this->R_URI) . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode()) . ';return false;';
return 'window.location.href=' . \TYPO3\CMS\Core\Utility\GeneralUtility::quoteJSvalue(\TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('tce_db') . '&cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&redirect=' . rawurlencode($this->R_URI) . '&prErr=1&uPT=1') . ';return false;';
}
/**
......
......@@ -559,9 +559,9 @@ class PagePositionMap
{
$table = 'tt_content';
if (is_array($row)) {
$location = BackendUtility::getModuleUrl('tce_db') . '&cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1&vC=' . $this->getBackendUser()->veriCode();
$location = BackendUtility::getModuleUrl('tce_db') . '&cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1';
} else {
$location = BackendUtility::getModuleUrl('tce_db') . '&cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1&vC=' . $this->getBackendUser()->veriCode();
$location = BackendUtility::getModuleUrl('tce_db') . '&cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1';
}
$location .= '&redirect=' . rawurlencode($this->R_URI);
// returns to prev. page
......
......@@ -3098,7 +3098,6 @@ class BackendUtility
$urlParameters = [
'prErr' => 1,
'uPT' => 1,
'vC' => static::getBackendUserAuthentication()->veriCode()
];
$url = self::getModuleUrl('tce_db', $urlParameters) . $parameters . '&redirect=';
if ((int)$redirectUrl === -1) {
......
......@@ -54,7 +54,6 @@ class IssueCommandViewHelper extends AbstractViewHelper
/** @var BackendUserAuthentication $beUser */
$beUser = $GLOBALS['BE_USER'];
$urlParameters = [
'vC' => $beUser->veriCode(),
'prErr' => 1,
'uPT' => 1,
'redirect' => $arguments['redirectUrl'] ?: GeneralUtility::getIndpEnv('REQUEST_URI')
......
......@@ -73,7 +73,6 @@ class RemoveUserViewHelper extends AbstractViewHelper
$urlParameters = [
'cmd[be_users][' . $backendUser->getUid() . '][delete]' => 1,
'vC' => $beUser->veriCode(),
'prErr' => 1,
'uPT' => 1,
'redirect' => GeneralUtility::getIndpEnv('REQUEST_URI')
......
......@@ -1224,9 +1224,11 @@ abstract class AbstractUserAuthentication
* tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
*
* @return string
* @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
public function veriCode()
{
GeneralUtility::logDeprecatedFunction();
return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
}
......
.. include:: ../../Includes.txt
========================================================================
Breaking: #79327 - The veriCode - vC parameter is not evaluated any more
========================================================================
See :issue:`79327`
Description
===========
The `veriCode` (`&vC=...`) parameter generated by :php:`AbstractUserAuthentication::veriCode` is not evaluated any more in:
- `ImportExportController::checkUpload()`
- `FileController::main()`
- `EditDocumentController::processData()`
- `SimpleDataHandlerController::main()`
Also following properties are removed:
- `EditDocumentController::vC`
- `SimpleDataHandlerController::vC`
- `ImportExportController::vC`
Impact
======
Any code reading from removed `vC` properties will now throw an "Undefined property" notice.
Affected Installations
======================
Any installation having code calling relaying on 'vC' property being present in aforementioned classes, or relaying on `vC` parameter being checked.
Migration
=========
Remove calls to `veriCode` or any `vC` HTTP parameter evaluation from your code. Ensure your code uses `moduleToken` to protect backend urls.
.. index:: Backend, PHP-API
\ No newline at end of file
.. include:: ../../Includes.txt
===========================================================================
Deprecation: #79327 - Deprecate AbstractUserAuthentication::veriCode method
===========================================================================
See :issue:`79327`
Description
===========
The :php:`AbstractUserAuthentication::veriCode` method has been marked as deprecated.
Right now all Backend urls require module token, so veriCode is not needed any more.
Veri token was used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
Impact
======
Calling :php:`AbstractUserAuthentication::veriCode` will log deprecation message.
Affected Installations
======================
Any installation having extensions calling :php:`AbstractUserAuthentication::veriCode`
Migration
=========
Remove calls to `veriCode` or any `vC` HTTP parameter evaluation from your code. Ensure your code uses `moduleToken` to protect backend urls.
.. index:: Backend, JavaScript, PHP-API
\ No newline at end of file
......@@ -492,7 +492,6 @@ class FileListController extends ActionController
$this->view->assign('searchWord', $searchWord);
$this->view->assign('files', $fileFacades);
$this->view->assign('veriCode', $this->getBackendUser()->veriCode());
$this->view->assign('deleteUrl', BackendUtility::getModuleUrl('tce_file'));
$this->view->assign('settings', [
'jsConfirmationDelete' => $this->getBackendUser()->jsConfirmation(JsConfirmation::DELETE)
......
......@@ -1009,7 +1009,6 @@ class FileList extends AbstractRecordList
. '" data-delete-url="' . htmlspecialchars($deleteUrl)
. '" data-title="' . htmlspecialchars($title)
. '" data-identifier="' . htmlspecialchars($fileOrFolderObject->getCombinedIdentifier())
. '" data-veri-code="' . $this->getBackendUser()->veriCode()
. '" data-delete-type="' . $deleteType
. '" title="' . htmlspecialchars($title) . '">'
. $this->iconFactory->getIcon('actions-edit-delete', Icon::SIZE_SMALL)->render() . '</a>';
......
......@@ -48,11 +48,6 @@ class DeleteFileViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractView
*/
public static function renderStatic(array $arguments, Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
{
$veriCode = '&vC=';
if ($GLOBALS['BE_USER'] instanceof \TYPO3\CMS\Core\Authentication\BackendUserAuthentication) {
$veriCode .= $GLOBALS['BE_USER']->veriCode();
}
if (empty($arguments['returnUrl'])) {
$arguments['returnUrl'] = GeneralUtility::getIndpEnv('REQUEST_URI');
}
......@@ -71,6 +66,6 @@ class DeleteFileViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractView
'redirect' => $arguments['returnUrl']
];
return BackendUtility::getModuleUrl('tce_file', $params) . $veriCode;
return BackendUtility::getModuleUrl('tce_file', $params);
}
}
......@@ -133,7 +133,6 @@
<a href="#" class="btn btn-default t3js-filelist-delete"
title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:cm.delete' )}"
data-identifier="{file.identifier}"
data-veri-code="{veriCode}"
data-title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:cm.delete' )}"
data-content="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:mess.delete', arguments: {0:file.name} )}"
data-check="{f:if(condition:settings.jsConfirmationDelete, then:'1', else:'0')}"
......
......@@ -27,9 +27,8 @@ define(['jquery', 'TYPO3/CMS/Backend/Modal', 'TYPO3/CMS/Backend/Severity'], func
redirectUrl = top.rawurlencode(top.list_frame.document.location.pathname+top.list_frame.document.location.search);
}
var identifier = $anchorElement.data('identifier');
var veriCode = $anchorElement.data('veriCode');
var deleteType = $anchorElement.data('deleteType');
var deleteUrl = $anchorElement.data('deleteUrl') + '&file[delete][0][data]=' + encodeURIComponent(identifier) + '&vC=' + encodeURIComponent(veriCode);
var deleteUrl = $anchorElement.data('deleteUrl') + '&file[delete][0][data]=' + encodeURIComponent(identifier);
if ($anchorElement.data('check')) {
var $modal = Modal.confirm($anchorElement.data('title'), $anchorElement.data('content'), Severity.warning, [
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment