TYPO3 CMS  TYPO3_6-2
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Core\FormProtection\AbstractFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\AbstractFormProtection:
t3lib_formprotection_Abstract TYPO3\CMS\Core\FormProtection\BackendFormProtection TYPO3\CMS\Core\FormProtection\DisabledFormProtection TYPO3\CMS\Core\FormProtection\InstallToolFormProtection TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting t3lib_formprotection_BackendFormProtection t3lib_formprotection_DisabledFormProtection t3lib_formprotection_InstallToolFormProtection

Public Member Functions

 __destruct ()
 
 clean ()
 
 generateToken ($formName, $action='', $formInstanceName='')
 
 validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
 persistSessionToken ()
 

Protected Member Functions

 getSessionToken ()
 
 generateSessionToken ()
 
 createValidationErrorMessage ()
 
 retrieveSessionToken ()
 

Protected Attributes

 $sessionToken
 

Detailed Description

This file is part of the TYPO3 CMS project.

It is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, either version 2 of the License, or any later version.

For the full copyright and license information, please read the LICENSE.txt file that was distributed with this source code.

The TYPO3 project - inspiring people to share! This class provides protection against cross-site request forgery (XSRF/CSRF) for forms.

For documentation on how to use this class, please see the documentation of the corresponding subclasses

Author
Oliver Klee typo3.nosp@m.-cod.nosp@m.ing@o.nosp@m.live.nosp@m.rklee.nosp@m..de
Helmut Hummel helmu.nosp@m.t.hu.nosp@m.mmel@.nosp@m.typo.nosp@m.3.org

Definition at line 27 of file AbstractFormProtection.php.

Constructor & Destructor Documentation

◆ __destruct()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::__destruct ( )

Frees as much memory as possible.

Definition at line 49 of file AbstractFormProtection.php.

Member Function Documentation

◆ clean()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::clean ( )

Deletes the session token and persists the (empty) token.

This function is intended to be called when a user logs on or off.

Returns
void

Definition at line 60 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\persistSessionToken().

◆ createValidationErrorMessage()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::createValidationErrorMessage ( )
abstractprotected

Creates or displays an error message telling the user that the submitted form token is invalid.

This function may also be empty if the validation error should be handled silently.

Returns
void

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct(), TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

◆ generateSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateSessionToken ( )
protected

Generates the random token which is used in the hash for the form tokens.

Returns
string

Definition at line 114 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), TYPO3\CMS\Core\FormProtection\AbstractFormProtection\persistSessionToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\retrieveSessionToken().

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

◆ generateToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateToken (   $formName,
  $action = '',
  $formInstanceName = '' 
)

Generates a token for a form by hashing the given parameters with the secret session token.

Calling this function two times with the same parameters will create the same valid token during one user session.

Parameters
string$formName
string$action
string$formInstanceName
Returns
string the 32-character hex ID of the generated token
Exceptions

Definition at line 78 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), and TYPO3\CMS\Core\Utility\GeneralUtility\hmac().

◆ getSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::getSessionToken ( )
protected
Returns
string

Definition at line 39 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\retrieveSessionToken().

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::persistSessionToken ( )
abstract

Saves the session token so that it can be used by a later incarnation of this class.

private

Returns
void

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\clean(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::retrieveSessionToken ( )
abstractprotected

Retrieves the session token.

Returns
string

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken().

◆ validateToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::validateToken (   $tokenId,
  $formName,
  $action = '',
  $formInstanceName = '' 
)

Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.

Parameters
string$tokenId
string$formName
string$action
string$formInstanceName
Returns
boolean

Definition at line 96 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), and TYPO3\CMS\Core\Utility\GeneralUtility\hmac().

Member Data Documentation

◆ $sessionToken

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::$sessionToken
protected

Definition at line 34 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\persistSessionToken(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\setSessionTokenFromRegistry().