9.5/_show_image_controller_8php_source.html

<?php

namespace ‪TYPO3\CMS\Frontend\Controller;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use Psr\Http\Message\ResponseInterface;

use Psr\Http\Message\ServerRequestInterface;

use ‪TYPO3\CMS\Core\Exception;

use ‪TYPO3\CMS\Core\Http\Response;

use ‪TYPO3\CMS\Core\Resource\FileInterface;

use ‪TYPO3\CMS\Core\Resource\ProcessedFile;

use ‪TYPO3\CMS\Core\Resource\ResourceFactory;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

use ‪TYPO3\CMS\Core\Utility\MathUtility;


class ‪ShowImageController

{

    protected const ‪ALLOWED_PARAMETER_NAMES = ['width', 'height', 'crop', 'bodyTag', 'title'];


    protected ‪$request;


    protected ‪$file;


    protected ‪$width;


    protected ‪$height;


    protected ‪$crop;


    protected ‪$frame;


    protected ‪$bodyTag = '<body>';


    protected ‪$title = 'Image';


    protected ‪$content = <<<EOF

<!DOCTYPE html>

<html>

<head>

    <title>###TITLE###</title>

    <meta name="robots" content="noindex,follow" />

</head>

###BODY###

    ###IMAGE###

</body>

</html>

EOF;


    protected ‪$imageTag = '<img src="###publicUrl###" alt="###alt###" title="###title###" width="###width###" height="###height###" />';


    public function ‪initialize()

    {

        $fileUid = $this->request->getQueryParams()['file'] ?? null;

        $parametersArray = $this->request->getQueryParams()['parameters'] ?? null;


        // If no file-param or parameters are given, we must exit

        if (!$fileUid || !isset($parametersArray) || !is_array($parametersArray)) {

            throw new \InvalidArgumentException('No valid fileUid given', 1476048455);

        }


        // rebuild the parameter array and check if the HMAC is correct

        $parametersEncoded = implode('', $parametersArray);


        /* For backwards compatibility the HMAC is transported within the md5 param */

        $hmacParameter = $this->request->getQueryParams()['md5'] ?? null;

        $hmac = GeneralUtility::hmac(implode('|', [$fileUid, $parametersEncoded]));

        if (!is_string($hmacParameter) || !hash_equals($hmac, $hmacParameter)) {

            throw new \InvalidArgumentException('hash does not match', 1476048456);

        }


        // decode the parameters Array - `bodyTag` contains HTML if set and would lead

        // to a false-positive XSS-detection, that's why parameters are base64-encoded

        $parameters = json_decode(base64_decode($parametersEncoded), true) ?? [];

        foreach ($parameters as $parameterName => $parameterValue) {

            if (in_array($parameterName, static::ALLOWED_PARAMETER_NAMES, true)) {

                $this->{$parameterName} = $parameterValue;

            }

        }


        if (‪MathUtility::canBeInterpretedAsInteger($fileUid)) {

            $this->file = ‪ResourceFactory::getInstance()->‪getFileObject((int)$fileUid);

        } else {

            $this->file = ‪ResourceFactory::getInstance()->‪retrieveFileOrFolderObject($fileUid);

        }

        if ($this->file !== null && !$this->‪isFileValid($this->file)) {

            throw new ‪Exception('File processing for local storage is denied', 1594043425);

        }


        $this->frame = $this->request->getQueryParams()['frame'] ?? null;

    }


    public function ‪main()

    {

        $processedImage = $this->‪processImage();

        $imageTagMarkers = [

            '###publicUrl###' => htmlspecialchars($processedImage->getPublicUrl()),

            '###alt###' => htmlspecialchars($this->file->getProperty('alternative') ?: $this->title),

            '###title###' => htmlspecialchars($this->file->getProperty('title') ?: $this->title),

            '###width###' => $processedImage->getProperty('width'),

            '###height###' => $processedImage->getProperty('height')

        ];

        $this->imageTag = str_replace(array_keys($imageTagMarkers), array_values($imageTagMarkers), $this->imageTag);

        $markerArray = [

            '###TITLE###' => $this->file->getProperty('title') ?: ‪$this->title,

            '###IMAGE###' => ‪$this->imageTag,

            '###BODY###' => ‪$this->bodyTag

        ];


        $this->content = str_replace(array_keys($markerArray), array_values($markerArray), $this->content);

    }


    protected function ‪processImage()

    {

        if (strstr($this->width . $this->height, 'm')) {

            $max = 'm';

        } else {

            $max = '';

        }

        $this->height = ‪MathUtility::forceIntegerInRange($this->height, 0);

        $this->width = ‪MathUtility::forceIntegerInRange($this->width, 0) . $max;


        $processingConfiguration = [

            'width' => ‪$this->width,

            'height' => ‪$this->height,

            'frame' => ‪$this->frame,

            'crop' => ‪$this->crop,

        ];

        return $this->file->process(‪ProcessedFile::CONTEXT_IMAGECROPSCALEMASK, $processingConfiguration);

    }


    public function ‪processRequest(ServerRequestInterface ‪$request): ResponseInterface

    {

        $this->request = ‪$request;


        try {

            $this->‪initialize();

            $this->‪main();

            $response = new ‪Response();

            $response->getBody()->write($this->content);

            return $response;

        } catch (\InvalidArgumentException $e) {

            // add a 410 "gone" if invalid parameters given

            return (new ‪Response)->withStatus(410);

        } catch (‪Exception $e) {

            return (new Response)->withStatus(404);

        }

    }


    protected function ‪isFileValid(FileInterface ‪$file): bool

    {

        return ‪$file->getStorage()->getDriverType() !== 'Local'

            || GeneralUtility::verifyFilenameAgainstDenyPattern(basename(‪$file->getIdentifier()));

    }

}