Commit 237f4950 authored by Oliver Hader's avatar Oliver Hader Committed by Andreas Fernandez
Browse files

[TASK] Switch to json_encode for file folder tree

Scalar values sent via HTTP query parameters to
FileSystemNavigationFrameController are using `json_encode` instead
of `unserialize`. The parameter stream is still secured with an HMAC
before being deserialized.

Resolves: #91548
Releases: master, 10.4, 9.5
Change-Id: I57be68aac1787bdc27f2bbae40f8d71b1b33f79f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64625


Tested-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: default avatarTYPO3com <noreply@typo3.com>
Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
parent f3e4dc32
......@@ -120,7 +120,7 @@ class FileSystemNavigationFrameController
$scopeHash = $parsedBody['scopeHash'] ?? $queryParams['scopeHash'] ?? '';
if (!empty($scopeData) && hash_equals(GeneralUtility::hmac($scopeData), $scopeHash)) {
$this->scopeData = unserialize($scopeData);
$this->scopeData = json_decode($scopeData, true);
}
// Create folder tree object:
......
......@@ -139,7 +139,7 @@ class FolderTreeView extends AbstractTreeView
if ($this->thisScript) {
// Activates dynamic AJAX based tree
$scopeData = serialize($this->scope);
$scopeData = json_encode($this->scope);
$scopeHash = GeneralUtility::hmac($scopeData);
$js = htmlspecialchars('Tree.load(' . GeneralUtility::quoteJSvalue($cmd) . ', ' . (int)$isExpand . ', this, ' . GeneralUtility::quoteJSvalue($scopeData) . ', ' . GeneralUtility::quoteJSvalue($scopeHash) . ');');
return '<a class="list-tree-control' . (!$isExpand ? ' list-tree-control-open' : ' list-tree-control-closed') . '" onclick="' . $js . '"><i class="fa"></i></a>';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment