‪TYPO3CMS  ‪main
Public Member Functions | Protected Member Functions | List of all members
TYPO3\CMS\Core\FormProtection\InstallToolFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\InstallToolFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection TYPO3\CMS\Core\Security\BlockSerializationTrait

Public Member Functions

 persistSessionToken ()
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 clean ()
 
string generateToken ($formName, $action='', $formInstanceName='')
 
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()
 

Protected Member Functions

 retrieveSessionToken ()
 
- ‪Protected Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
string getSessionToken ()
 
string generateSessionToken ()
 
 createValidationErrorMessage ()
 

Additional Inherited Members

- ‪Protected Attributes inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
Closure null $validationFailedCallback
 
string null $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) in the install tool.

How to use this in the install tool:

For each form in the install tool (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = $this->formProtection->generateToken(
'installToolPassword', 'change'
);
then puts the generated form token in a hidden field in the template

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. the password change and editing a the configuration), those values should be different.

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
$_POST['formToken'],
'installToolPassword',
'change'
) {
processes the data
} else {
no need to do anything here as the install tool form protection will
create an error message for an invalid token
}

Install Tool form protection

Definition at line 60 of file InstallToolFormProtection.php.

Member Function Documentation

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 80 of file InstallToolFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken.

Referenced by TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::retrieveSessionToken ( )
protected

Retrieves or generates the session token.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 65 of file InstallToolFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\persistSessionToken().