RouteDispatcher.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\Backend\Http;
 
use Psr\Container\ContainerInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use ‪TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
use ‪TYPO3\CMS\Backend\Routing\Exception\MissingRequestTokenException;
use ‪TYPO3\CMS\Backend\Routing\Route;
use ‪TYPO3\CMS\Backend\Routing\UriBuilder;
use ‪TYPO3\CMS\Backend\Security\SudoMode\Access\AccessFactory;
use ‪TYPO3\CMS\Backend\Security\SudoMode\Access\AccessStorage;
use ‪TYPO3\CMS\Backend\Security\SudoMode\Exception\VerificationRequiredException;
use ‪TYPO3\CMS\Core\Configuration\Features;
use ‪TYPO3\CMS\Core\Core\Environment;
use ‪TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
use ‪TYPO3\CMS\Core\Http\Dispatcher;
use ‪TYPO3\CMS\Core\Http\Security\ReferrerEnforcer;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
 
class ‪RouteDispatcher extends ‪Dispatcher
{
    public function ‪__construct(
        protected readonly ‪FormProtectionFactory $formProtectionFactory,
        protected readonly ‪AccessFactory $factory,
        protected readonly ‪AccessStorage $storage,
        ContainerInterface ‪$container,
    ) {
        parent::__construct(‪$container);
    }
 
    public function ‪dispatch(ServerRequestInterface $request): ResponseInterface
    {
        $route = $request->getAttribute('route');
 
        $enforceReferrerResponse = $this->‪enforceReferrer($request, $route);
        if ($enforceReferrerResponse !== null) {
            return $enforceReferrerResponse;
        }
        // Ensure that a token exists, and the token is requested, if the route requires a valid token
        $this->‪assertRequestToken($request, $route);
        // Ensure that sudo-mode is active, if the route requires it
        $this->‪assertSudoMode($request);
 
        $targetIdentifier = $route->getOption('target');
        $target = $this->‪getCallableFromTarget($targetIdentifier);
        $arguments = [$request];
        return $target(...$arguments);
    }
 
    protected function ‪enforceReferrer(ServerRequestInterface $request, ‪Route $route): ?ResponseInterface
    {
        $features = GeneralUtility::makeInstance(Features::class);
        if (!$features->isFeatureEnabled('security.backend.enforceReferrer')) {
            return null;
        }
        $referrerFlags = ‪GeneralUtility::trimExplode(',', $route->‪getOption('referrer') ?? '', true);
        if (!in_array('required', $referrerFlags, true)) {
            return null;
        }
        $referrerEnforcer = GeneralUtility::makeInstance(ReferrerEnforcer::class, $request);
        return $referrerEnforcer->handle([
            'flags' => $referrerFlags,
            'subject' => $route->‪getPath(),
        ]);
    }
 
    protected function ‪assertRequestToken(ServerRequestInterface $request, ‪Route $route): void
    {
        if ($route->‪getOption('access') === 'public') {
            return;
        }
        $token = (string)($request->getParsedBody()['token'] ?? $request->getQueryParams()['token'] ?? '');
        if (empty($token)) {
            throw new ‪MissingRequestTokenException(
                sprintf('Invalid request for route "%s"', $route->‪getPath()),
                1627905246
            );
        }
        $formProtection = $this->formProtectionFactory->createFromRequest($request);
        if (!$formProtection->validateToken($token, 'route', $route->‪getOption('_identifier'))) {
            throw new ‪InvalidRequestTokenException(
                sprintf('Invalid request for route "%s"', $route->‪getPath()),
                1425389455
            );
        }
    }
 
    protected function ‪assertSudoMode(ServerRequestInterface $request): void
    {
        // #93160: [TASK] Do not require sudo mode in development context
        if (‪Environment::getContext()->isDevelopment()) {
            return;
        }
        $route = $request->getAttribute('route');
        $settings = $route?->getOption('sudoMode') ?? null;
        if (!is_array($settings)) {
            return;
        }
 
        // sudo mode settings for subject are fetched from the request again
        $subject = $this->factory->buildRouteAccessSubject($request);
        if ($this->storage->findGrantsBySubject($subject)) {
            return;
        }
        // reuse existing matching claim, or create a new one
        $claim = $this->storage->findClaimBySubject($subject)
            ?? $this->factory->buildClaimForSubjectRequest($request, $subject);
        throw (new ‪VerificationRequiredException(
            'Sudo Mode Confirmation Required',
            1605812020
        ))->withClaim($claim);
    }
}