TYPO3 CMS  TYPO3_6-2
RequestHashService.php
Go to the documentation of this file.
1 <?php
3 
35 
40  protected $hashService;
41 
51  public function generateRequestHash($formFieldNames, $fieldNamePrefix = '') {
52  $formFieldArray = array();
53  foreach ($formFieldNames as $formField) {
54  $formFieldParts = explode('[', $formField);
55  $currentPosition = &$formFieldArray;
56  for ($i = 0; $i < count($formFieldParts); $i++) {
57  $formFieldPart = $formFieldParts[$i];
58  if (substr($formFieldPart, -1) == ']') {
59  $formFieldPart = substr($formFieldPart, 0, -1);
60  }
61  // Strip off closing ] if needed
62  if (!is_array($currentPosition)) {
63  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" collides with a previous form field name which declared the field as string. (String overridden by Array)', 1255072197);
64  }
65  if ($i == count($formFieldParts) - 1) {
66  if (isset($currentPosition[$formFieldPart]) && is_array($currentPosition[$formFieldPart])) {
67  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" collides with a previous form field name which declared the field as array. (Array overridden by String)', 1255072588);
68  }
69  // Last iteration - add a string
70  if ($formFieldPart === '') {
71  $currentPosition[] = 1;
72  } else {
73  $currentPosition[$formFieldPart] = 1;
74  }
75  } else {
76  if ($formFieldPart === '') {
77  throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForRequestHashGenerationException('The form field name "' . $formField . '" is invalid. Reason: "[]" used not as last argument.', 1255072833);
78  }
79  if (!isset($currentPosition[$formFieldPart])) {
80  $currentPosition[$formFieldPart] = array();
81  }
82  $currentPosition = &$currentPosition[$formFieldPart];
83  }
84  }
85  }
86  if ($fieldNamePrefix !== '') {
87  $formFieldArray = isset($formFieldArray[$fieldNamePrefix]) ? $formFieldArray[$fieldNamePrefix] : array();
88  }
89  return $this->serializeAndHashFormFieldArray($formFieldArray);
90  }
91 
98  protected function serializeAndHashFormFieldArray($formFieldArray) {
99  $serializedFormFieldArray = serialize($formFieldArray);
100  return $serializedFormFieldArray . $this->hashService->generateHmac($serializedFormFieldArray);
101  }
102 
112  public function verifyRequest(\TYPO3\CMS\Extbase\Mvc\Web\Request $request) {
113  if (!$request->getInternalArgument('__hmac')) {
114  $request->setHmacVerified(FALSE);
115  return;
116  }
117  $hmac = $request->getInternalArgument('__hmac');
118  if (strlen($hmac) < 40) {
119  throw new \TYPO3\CMS\Extbase\Security\Exception\SyntacticallyWrongRequestHashException('Request hash too short. This is a probably manipulation attempt!', 1255089361);
120  }
121  $serializedFieldNames = substr($hmac, 0, -40);
122  // TODO: Constant for hash length needs to be introduced
123  $hash = substr($hmac, -40);
124  if ($this->hashService->validateHmac($serializedFieldNames, $hash)) {
125  $requestArguments = $request->getArguments();
126  // Unset framework arguments
127  unset($requestArguments['__referrer']);
128  unset($requestArguments['__hmac']);
129  if ($this->checkFieldNameInclusion($requestArguments, unserialize($serializedFieldNames))) {
130  $request->setHmacVerified(TRUE);
131  } else {
132  $request->setHmacVerified(FALSE);
133  }
134  } else {
135  $request->setHmacVerified(FALSE);
136  }
137  }
138 
146  protected function checkFieldNameInclusion(array $requestArguments, array $allowedFields) {
147  foreach ($requestArguments as $argumentName => $argumentValue) {
148  if (!isset($allowedFields[$argumentName])) {
149  return FALSE;
150  }
151  if (is_array($requestArguments[$argumentName]) && is_array($allowedFields[$argumentName])) {
152  if (!$this->checkFieldNameInclusion($requestArguments[$argumentName], $allowedFields[$argumentName])) {
153  return FALSE;
154  }
155  } elseif (!is_array($requestArguments[$argumentName]) && !is_array($allowedFields[$argumentName])) {
156  } elseif (!is_array($requestArguments[$argumentName]) && $requestArguments[$argumentName] === '' && is_array($allowedFields[$argumentName])) {
157  } else {
158  // different types - error
159  return FALSE;
160  }
161  }
162  return TRUE;
163  }
164 }
verifyRequest(\TYPO3\CMS\Extbase\Mvc\Web\Request $request)
generateRequestHash($formFieldNames, $fieldNamePrefix='')
checkFieldNameInclusion(array $requestArguments, array $allowedFields)