ShowImageController.php

Go to the documentation of this file.

<?php
namespace ‪TYPO3\CMS\Frontend\Controller;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use ‪TYPO3\CMS\Core\Exception;
use ‪TYPO3\CMS\Core\Http\Response;
use ‪TYPO3\CMS\Core\Resource\FileInterface;
use ‪TYPO3\CMS\Core\Resource\ProcessedFile;
use ‪TYPO3\CMS\Core\Resource\ResourceFactory;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Core\Utility\MathUtility;
 
class ‪ShowImageController
{
    protected const ‪ALLOWED_PARAMETER_NAMES = ['width', 'height', 'crop', 'bodyTag', 'title'];
 
    protected ‪$request;
 
    protected ‪$file;
 
    protected ‪$width;
 
    protected ‪$height;
 
    protected ‪$crop;
 
    protected ‪$frame;
 
    protected ‪$bodyTag = '<body>';
 
    protected ‪$title = 'Image';
 
    protected ‪$content = <<<EOF
<!DOCTYPE html>
<html>
<head>
    <title>###TITLE###</title>
    <meta name="robots" content="noindex,follow" />
</head>
###BODY###
    ###IMAGE###
</body>
</html>
EOF;
 
    protected ‪$imageTag = '<img src="###publicUrl###" alt="###alt###" title="###title###" width="###width###" height="###height###" />';
 
    public function ‪initialize()
    {
        $fileUid = $this->request->getQueryParams()['file'] ?? null;
        $parametersArray = $this->request->getQueryParams()['parameters'] ?? null;
 
        // If no file-param or parameters are given, we must exit
        if (!$fileUid || !isset($parametersArray) || !is_array($parametersArray)) {
            throw new \InvalidArgumentException('No valid fileUid given', 1476048455);
        }
 
        // rebuild the parameter array and check if the HMAC is correct
        $parametersEncoded = implode('', $parametersArray);
 
        /* For backwards compatibility the HMAC is transported within the md5 param */
        $hmacParameter = $this->request->getQueryParams()['md5'] ?? null;
        $hmac = GeneralUtility::hmac(implode('|', [$fileUid, $parametersEncoded]));
        if (!is_string($hmacParameter) || !hash_equals($hmac, $hmacParameter)) {
            throw new \InvalidArgumentException('hash does not match', 1476048456);
        }
 
        // decode the parameters Array - `bodyTag` contains HTML if set and would lead
        // to a false-positive XSS-detection, that's why parameters are base64-encoded
        $parameters = json_decode(base64_decode($parametersEncoded), true) ?? [];
        foreach ($parameters as $parameterName => $parameterValue) {
            if (in_array($parameterName, static::ALLOWED_PARAMETER_NAMES, true)) {
                $this->{$parameterName} = $parameterValue;
            }
        }
 
        if (‪MathUtility::canBeInterpretedAsInteger($fileUid)) {
            $this->file = ‪ResourceFactory::getInstance()->‪getFileObject((int)$fileUid);
        } else {
            $this->file = ‪ResourceFactory::getInstance()->‪retrieveFileOrFolderObject($fileUid);
        }
        if ($this->file !== null && !$this->‪isFileValid($this->file)) {
            throw new ‪Exception('File processing for local storage is denied', 1594043425);
        }
 
        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
    }
 
    public function ‪main()
    {
        $processedImage = $this->‪processImage();
        $imageTagMarkers = [
            '###publicUrl###' => htmlspecialchars($processedImage->getPublicUrl()),
            '###alt###' => htmlspecialchars($this->file->getProperty('alternative') ?: $this->title),
            '###title###' => htmlspecialchars($this->file->getProperty('title') ?: $this->title),
            '###width###' => $processedImage->getProperty('width'),
            '###height###' => $processedImage->getProperty('height')
        ];
        $this->imageTag = str_replace(array_keys($imageTagMarkers), array_values($imageTagMarkers), $this->imageTag);
        $markerArray = [
            '###TITLE###' => $this->file->getProperty('title') ?: ‪$this->title,
            '###IMAGE###' => ‪$this->imageTag,
            '###BODY###' => ‪$this->bodyTag
        ];
 
        $this->content = str_replace(array_keys($markerArray), array_values($markerArray), $this->content);
    }
 
    protected function ‪processImage()
    {
        if (strstr($this->width . $this->height, 'm')) {
            $max = 'm';
        } else {
            $max = '';
        }
        $this->height = ‪MathUtility::forceIntegerInRange($this->height, 0);
        $this->width = ‪MathUtility::forceIntegerInRange($this->width, 0) . $max;
 
        $processingConfiguration = [
            'width' => ‪$this->width,
            'height' => ‪$this->height,
            'frame' => ‪$this->frame,
            'crop' => ‪$this->crop,
        ];
        return $this->file->process(‪ProcessedFile::CONTEXT_IMAGECROPSCALEMASK, $processingConfiguration);
    }
 
    public function ‪processRequest(ServerRequestInterface ‪$request): ResponseInterface
    {
        $this->request = ‪$request;
 
        try {
            $this->‪initialize();
            $this->‪main();
            $response = new ‪Response();
            $response->getBody()->write($this->content);
            return $response;
        } catch (\InvalidArgumentException $e) {
            // add a 410 "gone" if invalid parameters given
            return (new ‪Response)->withStatus(410);
        } catch (‪Exception $e) {
            return (new Response)->withStatus(404);
        }
    }
 
    protected function ‪isFileValid(FileInterface ‪$file): bool
    {
        return ‪$file->getStorage()->getDriverType() !== 'Local'
            || GeneralUtility::verifyFilenameAgainstDenyPattern(basename(‪$file->getIdentifier()));
    }
}