RequestHashService.php

Go to the documentation of this file.

<?php
namespace TYPO3\CMS\Extbase\Security\Channel;

class RequestHashService implements \TYPO3\CMS\Core\SingletonInterface {

    protected $hashService;

    public function generateRequestHash($formFieldNames, $fieldNamePrefix = '') {
        $formFieldArray = array();
        foreach ($formFieldNames as $formField) {
            $formFieldParts = explode('[', $formField);
            $currentPosition = &$formFieldArray;
            for ($i = 0; $i < count($formFieldParts); $i++) {
                $formFieldPart = $formFieldParts[$i];
                if (substr($formFieldPart, -1) == ']') {
                    $formFieldPart = substr($formFieldPart, 0, -1);
                }
                // Strip off closing ] if needed
                if (!is_array($currentPosition)) {
                    throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" collides with a previous form field name which declared the field as string. (String overridden by Array)', 1255072197);
                }
                if ($i == count($formFieldParts) - 1) {
                    if (isset($currentPosition[$formFieldPart]) && is_array($currentPosition[$formFieldPart])) {
                        throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" collides with a previous form field name which declared the field as array. (Array overridden by String)', 1255072588);
                    }
                    // Last iteration - add a string
                    if ($formFieldPart === '') {
                        $currentPosition[] = 1;
                    } else {
                        $currentPosition[$formFieldPart] = 1;
                    }
                } else {
                    if ($formFieldPart === '') {
                        throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" is invalid. Reason: "[]" used not as last argument.', 1255072833);
                    }
                    if (!isset($currentPosition[$formFieldPart])) {
                        $currentPosition[$formFieldPart] = array();
                    }
                    $currentPosition = &$currentPosition[$formFieldPart];
                }
            }
        }
        if ($fieldNamePrefix !== '') {
            $formFieldArray = isset($formFieldArray[$fieldNamePrefix]) ? $formFieldArray[$fieldNamePrefix] : array();
        }
        return $this->serializeAndHashFormFieldArray($formFieldArray);
    }

    protected function serializeAndHashFormFieldArray($formFieldArray) {
        $serializedFormFieldArray = serialize($formFieldArray);
        return $serializedFormFieldArray . $this->hashService->generateHmac($serializedFormFieldArray);
    }

    public function verifyRequest(\TYPO3\CMS\Extbase\Mvc\Web\Request $request) {
        if (!$request->getInternalArgument('__hmac')) {
            $request->setHmacVerified(FALSE);
            return;
        }
        $hmac = $request->getInternalArgument('__hmac');
        if (strlen($hmac) < 40) {
            throw new \TYPO3\CMS\Extbase\Security\Exception\SyntacticallyWrongRequestHashException('Request hash too short. This is a probably manipulation attempt!', 1255089361);
        }
        $serializedFieldNames = substr($hmac, 0, -40);
        // TODO: Constant for hash length needs to be introduced
        $hash = substr($hmac, -40);
        if ($this->hashService->validateHmac($serializedFieldNames, $hash)) {
            $requestArguments = $request->getArguments();
            // Unset framework arguments
            unset($requestArguments['__referrer']);
            unset($requestArguments['__hmac']);
            if ($this->checkFieldNameInclusion($requestArguments, unserialize($serializedFieldNames))) {
                $request->setHmacVerified(TRUE);
            } else {
                $request->setHmacVerified(FALSE);
            }
        } else {
            $request->setHmacVerified(FALSE);
        }
    }

    protected function checkFieldNameInclusion(array $requestArguments, array $allowedFields) {
        foreach ($requestArguments as $argumentName => $argumentValue) {
            if (!isset($allowedFields[$argumentName])) {
                return FALSE;
            }
            if (is_array($requestArguments[$argumentName]) && is_array($allowedFields[$argumentName])) {
                if (!$this->checkFieldNameInclusion($requestArguments[$argumentName], $allowedFields[$argumentName])) {
                    return FALSE;
                }
            } elseif (!is_array($requestArguments[$argumentName]) && !is_array($allowedFields[$argumentName])) {
            } elseif (!is_array($requestArguments[$argumentName]) && $requestArguments[$argumentName] === '' && is_array($allowedFields[$argumentName])) {
            } else {
                // different types - error
                return FALSE;
            }
        }
        return TRUE;
    }
}