FileDumpController.php

Go to the documentation of this file.

<?php
declare(strict_types = 1);
 
namespace ‪TYPO3\CMS\Core\Controller;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use ‪TYPO3\CMS\Core\Http\Response;
use ‪TYPO3\CMS\Core\Resource\FileInterface;
use ‪TYPO3\CMS\Core\Resource\Hook\FileDumpEIDHookInterface;
use ‪TYPO3\CMS\Core\Resource\ProcessedFileRepository;
use ‪TYPO3\CMS\Core\Resource\ResourceFactory;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
 
class ‪FileDumpController
{
    public function ‪dumpAction(ServerRequestInterface $request): ResponseInterface
    {
        $parameters = ['eID' => 'dumpFile'];
        $t = $this->‪getGetOrPost($request, 't');
        if ($t) {
            $parameters['t'] = $t;
        }
        $f = $this->‪getGetOrPost($request, 'f');
        if ($f) {
            $parameters['f'] = $f;
        }
        $p = $this->‪getGetOrPost($request, 'p');
        if ($p) {
            $parameters['p'] = $p;
        }
 
        if (hash_equals(GeneralUtility::hmac(implode('|', $parameters), 'resourceStorageDumpFile'), $this->‪getGetOrPost($request, 'token'))) {
            if (isset($parameters['f'])) {
                try {
                    $file = ‪ResourceFactory::getInstance()->‪getFileObject($parameters['f']);
                    if ($file->isDeleted() || $file->isMissing() || !$this->isFileValid($file)) {
                        $file = null;
                    }
                } catch (\‪Exception $e) {
                    $file = null;
                }
            } else {
                $file = GeneralUtility::makeInstance(ProcessedFileRepository::class)->findByUid($parameters['p']);
                if (!$file || $file->isDeleted() || !$this->isFileValid($file->getOriginalFile())) {
                    $file = null;
                }
            }
 
            if ($file === null) {
                return (new ‪Response)->withStatus(404);
            }
 
            // Hook: allow some other process to do some security/access checks. Hook should return 403 response if access is rejected, void otherwise
            foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['FileDumpEID.php']['checkFileAccess'] ?? [] as $className) {
                $hookObject = GeneralUtility::makeInstance($className);
                if (!$hookObject instanceof ‪FileDumpEIDHookInterface) {
                    throw new \UnexpectedValueException($className . ' must implement interface ' . FileDumpEIDHookInterface::class, 1394442417);
                }
                $response = $hookObject->checkFileAccess($file);
                if ($response instanceof ResponseInterface) {
                    return $response;
                }
            }
 
            return $file->getStorage()->streamFile($file);
        }
        return (new ‪Response)->withStatus(403);
    }
 
    protected function ‪getGetOrPost(ServerRequestInterface $request, string $parameter): string
    {
        return (string)($request->getParsedBody()[$parameter] ?? $request->getQueryParams()[$parameter] ?? '');
    }
 
    protected function ‪isFileValid(‪FileInterface $file): bool
    {
        return $file->‪getStorage()->‪getDriverType() !== 'Local'
            || GeneralUtility::verifyFilenameAgainstDenyPattern(basename($file->‪getIdentifier()));
    }
}