TYPO3 CMS  TYPO3_6-2
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Extbase\Security\Channel\RequestHashService Class Reference
Inheritance diagram for TYPO3\CMS\Extbase\Security\Channel\RequestHashService:
TYPO3\CMS\Core\SingletonInterface Tx_Extbase_Security_Channel_RequestHashService

Public Member Functions

 generateRequestHash ($formFieldNames, $fieldNamePrefix='')
 
 verifyRequest (\TYPO3\CMS\Extbase\Mvc\Web\Request $request)
 

Protected Member Functions

 serializeAndHashFormFieldArray ($formFieldArray)
 
 checkFieldNameInclusion (array $requestArguments, array $allowedFields)
 

Protected Attributes

 $hashService
 

Detailed Description

This file is part of the TYPO3 CMS project.

It is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, either version 2 of the License, or any later version.

For the full copyright and license information, please read the LICENSE.txt file that was distributed with this source code.

The TYPO3 project - inspiring people to share! This is a Service which can generate a request hash and check whether the currently given arguments fit to the request hash.

It is used when forms are generated and submitted: After a form has been generated, the method "generateRequestHash" is called with the names of all form fields. It cleans up the array of form fields and creates another representation of it, which is then serialized and hashed.

Both serialized form field list and the added hash form the request hash, which will be sent over the wire (as an argument __hmac).

On the validation side, the validation happens in two steps: 1) Check if the request hash is consistent (the hash value fits to the serialized string) 2) Check that all GET/POST parameters submitted occur inside the form field list of the request hash.

Note: It is crucially important that a private key is computed into the hash value! This is done inside the HashService.

http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License, version 3 or later

Definition at line 34 of file RequestHashService.php.

Member Function Documentation

◆ checkFieldNameInclusion()

TYPO3\CMS\Extbase\Security\Channel\RequestHashService::checkFieldNameInclusion ( array  $requestArguments,
array  $allowedFields 
)
protected

Check if every element in $requestArguments is in $allowedFields as well.

Parameters
array$requestArguments
array$allowedFields
Returns
boolean TRUE if ALL fields inside requestArguments are in $allowedFields, FALSE otherwise.

Definition at line 146 of file RequestHashService.php.

Referenced by TYPO3\CMS\Extbase\Security\Channel\RequestHashService\verifyRequest().

◆ generateRequestHash()

TYPO3\CMS\Extbase\Security\Channel\RequestHashService::generateRequestHash (   $formFieldNames,
  $fieldNamePrefix = '' 
)

Generate a request hash for a list of form fields

Parameters
array$formFieldNamesArray of form fields
string$fieldNamePrefix
Exceptions

Definition at line 51 of file RequestHashService.php.

References TYPO3\CMS\Extbase\Security\Channel\RequestHashService\serializeAndHashFormFieldArray().

◆ serializeAndHashFormFieldArray()

TYPO3\CMS\Extbase\Security\Channel\RequestHashService::serializeAndHashFormFieldArray (   $formFieldArray)
protected

Serialize and hash the form field array

Parameters
array$formFieldArrayform field array to be serialized and hashed
Returns
string Hash

Definition at line 98 of file RequestHashService.php.

Referenced by TYPO3\CMS\Extbase\Security\Channel\RequestHashService\generateRequestHash().

◆ verifyRequest()

TYPO3\CMS\Extbase\Security\Channel\RequestHashService::verifyRequest ( \TYPO3\CMS\Extbase\Mvc\Web\Request  $request)

Verify the request. Checks if there is an __hmac argument, and if yes, tries to validate and verify it.

In the end, $request->setHmacVerified is set depending on the value.

Parameters
\TYPO3\CMS\Extbase\Mvc\Web\Request$requestThe request to verify
Exceptions

Definition at line 112 of file RequestHashService.php.

References TYPO3\CMS\Extbase\Security\Channel\RequestHashService\checkFieldNameInclusion().

Member Data Documentation

◆ $hashService

TYPO3\CMS\Extbase\Security\Channel\RequestHashService::$hashService
protected

Definition at line 40 of file RequestHashService.php.