1 <?php

2 namespace ‪TYPO3\CMS\Extbase\Mvc\Controller;

3 

4 /*

5  * This file is part of the TYPO3 CMS project.

6  *

7  * It is free software; you can redistribute it and/or modify it under

8  * the terms of the GNU General Public License, either version 2

9  * of the License, or any later version.

10  *

11  * For the full copyright and license information, please read the

12  * LICENSE.txt file that was distributed with this source code.

13  *

14  * The TYPO3 project - inspiring people to share!

15  */

16 

17 use ‪TYPO3\CMS\Core\Error\Http\BadRequestException;

18 use ‪TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException;

19 use ‪TYPO3\CMS\Extbase\Security\Exception\InvalidHashException;

20 

39 class ‪MvcPropertyMappingConfigurationService implements ‪\TYPO3\CMS\Core\SingletonInterface

40 {

46  protected ‪$hashService;

47 

51  public function ‪injectHashService(\‪TYPO3\CMS\‪Extbase\Security\Cryptography\HashService ‪$hashService)

52  {

53  $this->hashService = ‪$hashService;

54  }

55 

65  public function ‪generateTrustedPropertiesToken($formFieldNames, $fieldNamePrefix = '')

66  {

67  $formFieldArray = [];

68  foreach ($formFieldNames as $formField) {

69  $formFieldParts = explode('[', $formField);

70  $currentPosition = &$formFieldArray;

71  $formFieldPartsCount = count($formFieldParts);

72  for ($i = 0; $i < $formFieldPartsCount; $i++) {

73  $formFieldPart = $formFieldParts[$i];

74  $formFieldPart = rtrim($formFieldPart, ']');

75  if (!is_array($currentPosition)) {

76  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('The form field "' . $formField . '" is declared as array, but it collides with a previous form field of the same name which declared the field as string. This is an inconsistency you need to fix inside your Fluid form. (String overridden by Array)', 1255072196);

77  }

78  if ($i === $formFieldPartsCount - 1) {

79  if (isset($currentPosition[$formFieldPart]) && is_array($currentPosition[$formFieldPart])) {

80  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('The form field "' . $formField . '" is declared as string, but it collides with a previous form field of the same name which declared the field as array. This is an inconsistency you need to fix inside your Fluid form. (Array overridden by String)', 1255072587);

81  }

82  // Last iteration - add a string

83  if ($formFieldPart === '') {

84  $currentPosition[] = 1;

85  } else {

86  $currentPosition[$formFieldPart] = 1;

87  }

88  } else {

89  if ($formFieldPart === '') {

90  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('The form field "' . $formField . '" is invalid. Reason: "[]" used not as last argument, but somewhere in the middle (like foo[][bar]).', 1255072832);

91  }

92  if (!isset($currentPosition[$formFieldPart])) {

93  $currentPosition[$formFieldPart] = [];

94  }

95  $currentPosition = &$currentPosition[$formFieldPart];

96  }

97  }

98  }

99  if ($fieldNamePrefix !== '') {

100  $formFieldArray = ($formFieldArray[$fieldNamePrefix] ?? []);

101  }

102  return $this->‪serializeAndHashFormFieldArray($formFieldArray);

103  }

104 

112  protected function ‪serializeAndHashFormFieldArray(array $formFieldArray)

113  {

114  $serializedFormFieldArray = serialize($formFieldArray);

115  return $this->hashService->appendHmac($serializedFormFieldArray);

116  }

117 

126  public function ‪initializePropertyMappingConfigurationFromRequest(\‪TYPO3\CMS\‪Extbase\Mvc\‪Request $request, \‪TYPO3\CMS\‪Extbase\Mvc\Controller\‪Arguments $controllerArguments)

127  {

128  $trustedPropertiesToken = $request->getInternalArgument('__trustedProperties');

129  if (!is_string($trustedPropertiesToken)) {

130  return;

131  }

132 

133  try {

134  $serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken);

135  } catch (‪InvalidHashException | ‪InvalidArgumentForHashGenerationException $e) {

136  throw new ‪BadRequestException('The HMAC of the form could not be validated.', 1581862822);

137  }

138  $trustedProperties = unserialize($serializedTrustedProperties, ['allowed_classes' => false]);

139  foreach ($trustedProperties as $propertyName => $propertyConfiguration) {

140  if (!$controllerArguments->hasArgument($propertyName)) {

141  continue;

142  }

143  $propertyMappingConfiguration = $controllerArguments->getArgument($propertyName)->getPropertyMappingConfiguration();

144  $this->‪modifyPropertyMappingConfiguration($propertyConfiguration, $propertyMappingConfiguration);

145  }

146  }

147 

158  protected function ‪modifyPropertyMappingConfiguration($propertyConfiguration, \‪TYPO3\CMS\‪Extbase\Property\PropertyMappingConfiguration $propertyMappingConfiguration)

159  {

160  if (!is_array($propertyConfiguration)) {

161  return;

162  }

163 

164  if (isset($propertyConfiguration['__identity'])) {

165  $propertyMappingConfiguration->setTypeConverterOption(\‪TYPO3\CMS\‪Extbase\Property\TypeConverter\PersistentObjectConverter::class, \‪TYPO3\CMS\‪Extbase\Property\TypeConverter\PersistentObjectConverter::CONFIGURATION_MODIFICATION_ALLOWED, true);

166  unset($propertyConfiguration['__identity']);

167  } else {

168  $propertyMappingConfiguration->setTypeConverterOption(\‪TYPO3\CMS\‪Extbase\Property\TypeConverter\PersistentObjectConverter::class, \‪TYPO3\CMS\‪Extbase\Property\TypeConverter\PersistentObjectConverter::CONFIGURATION_CREATION_ALLOWED, true);

169  }

170 

171  foreach ($propertyConfiguration as $innerKey => $innerValue) {

172  if (is_array($innerValue)) {

173  $this->‪modifyPropertyMappingConfiguration($innerValue, $propertyMappingConfiguration->forProperty($innerKey));

174  }

175  $propertyMappingConfiguration->allowProperties($innerKey);

176  }

177  }

178 }