‪TYPO3CMS  10.4
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Core\FormProtection\AbstractFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\AbstractFormProtection:
TYPO3\CMS\Core\Security\BlockSerializationTrait TYPO3\CMS\Core\FormProtection\BackendFormProtection TYPO3\CMS\Core\FormProtection\DisabledFormProtection TYPO3\CMS\Core\FormProtection\FrontendFormProtection TYPO3\CMS\Core\FormProtection\InstallToolFormProtection TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting

Public Member Functions

 __destruct ()
 
 clean ()
 
string generateToken ($formName, $action='', $formInstanceName='')
 
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
 persistSessionToken ()
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()
 

Protected Member Functions

string getSessionToken ()
 
string generateSessionToken ()
 
 createValidationErrorMessage ()
 
string retrieveSessionToken ()
 

Protected Attributes

Closure $validationFailedCallback
 
string $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for forms.

For documentation on how to use this class, please see the documentation of the corresponding subclasses

Definition at line 29 of file AbstractFormProtection.php.

Constructor & Destructor Documentation

◆ __destruct()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::__destruct ( )

Frees as much memory as possible.

Definition at line 54 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidFormNameCallsCreateValidationErrorMessage(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidTokenCallsCreateValidationErrorMessage(), and TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForValidTokenNotCallsCreateValidationErrorMessage().

Member Function Documentation

◆ clean()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::clean ( )

Deletes the session token and persists the (empty) token.

This function is intended to be called when a user logs on or off.

Definition at line 64 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\persistSessionToken().

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\cleanPersistsToken(), and TYPO3\CMS\Core\Authentication\BackendUserAuthentication\logoff().

◆ createValidationErrorMessage()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::createValidationErrorMessage ( )
protected

Creates or displays an error message telling the user that the submitted form token is invalid.

Definition at line 130 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

◆ generateSessionToken()

string TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateSessionToken ( )
protected

Generates the random token which is used in the hash for the form tokens.

Returns
‪string

Definition at line 121 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

◆ generateToken()

string TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateToken (   $formName,
  $action = '',
  $formInstanceName = '' 
)

Generates a token for a form by hashing the given parameters with the secret session token.

Calling this function two times with the same parameters will create the same valid token during one user session.

Parameters
string$formName
string$action
string$formInstanceName
Returns
‪string the 32-character hex ID of the generated token
Exceptions

Reimplemented in TYPO3\CMS\Core\FormProtection\DisabledFormProtection.

Definition at line 83 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken().

Referenced by TYPO3\CMS\Backend\Routing\UriBuilder\buildUriFromRoute(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\generateTokenRetrievesTokenOnce(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidFormNameCallsCreateValidationErrorMessage(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidTokenCallsCreateValidationErrorMessage(), and TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForValidTokenNotCallsCreateValidationErrorMessage().

◆ getSessionToken()

string TYPO3\CMS\Core\FormProtection\AbstractFormProtection::getSessionToken ( )
protected
Returns
‪string

Definition at line 45 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\retrieveSessionToken().

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::persistSessionToken ( )
abstract

Saves the session token so that it can be used by a later incarnation of this class.

Reimplemented in TYPO3\CMS\Core\FormProtection\BackendFormProtection, TYPO3\CMS\Core\FormProtection\FrontendFormProtection, TYPO3\CMS\Core\FormProtection\InstallToolFormProtection, TYPO3\CMS\Core\FormProtection\DisabledFormProtection, and TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\clean().

◆ retrieveSessionToken()

string TYPO3\CMS\Core\FormProtection\AbstractFormProtection::retrieveSessionToken ( )
abstractprotected

Retrieves the session token.

Returns
‪string

Reimplemented in TYPO3\CMS\Core\FormProtection\BackendFormProtection, TYPO3\CMS\Core\FormProtection\FrontendFormProtection, TYPO3\CMS\Core\FormProtection\InstallToolFormProtection, TYPO3\CMS\Core\FormProtection\DisabledFormProtection, and TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken().

◆ validateToken()

bool TYPO3\CMS\Core\FormProtection\AbstractFormProtection::validateToken (   $tokenId,
  $formName,
  $action = '',
  $formInstanceName = '' 
)

Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.

Parameters
string$tokenId
string$formName
string$action
string$formInstanceName
Returns
‪bool

Reimplemented in TYPO3\CMS\Core\FormProtection\DisabledFormProtection.

Definition at line 102 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken().

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidFormNameCallsCreateValidationErrorMessage(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForInvalidTokenCallsCreateValidationErrorMessage(), TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenForValidTokenNotCallsCreateValidationErrorMessage(), and TYPO3\CMS\Core\Tests\Unit\FormProtection\AbstractFormProtectionTest\validateTokenRetrievesTokenOnce().

Member Data Documentation

◆ $sessionToken

string TYPO3\CMS\Core\FormProtection\AbstractFormProtection::$sessionToken
protected

The session token which is used to be hashed during token generation.

Definition at line 40 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\persistSessionToken(), TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\setSessionTokenFromRegistry().

◆ $validationFailedCallback

Closure TYPO3\CMS\Core\FormProtection\AbstractFormProtection::$validationFailedCallback
protected

Definition at line 34 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().