|
TYPO3 API
SVNRelease
|
00001 <?php 00002 /*************************************************************** 00003 * Copyright notice 00004 * 00005 * (c) 2010-2011 Oliver Klee <typo3-coding@oliverklee.de> 00006 * All rights reserved 00007 * 00008 * This script is part of the TYPO3 project. The TYPO3 project is 00009 * free software; you can redistribute it and/or modify 00010 * it under the terms of the GNU General Public License as published by 00011 * the Free Software Foundation; either version 2 of the License, or 00012 * (at your option) any later version. 00013 * 00014 * The GNU General Public License can be found at 00015 * http://www.gnu.org/copyleft/gpl.html. 00016 * 00017 * This script is distributed in the hope that it will be useful, 00018 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00019 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00020 * GNU General Public License for more details. 00021 * 00022 * This copyright notice MUST APPEAR in all copies of the script! 00023 ***************************************************************/ 00024 00025 /** 00026 * Class t3lib_formprotection_InstallToolFormProtection. 00027 * 00028 * This class provides protection against cross-site request forgery (XSRF/CSRF) 00029 * in the install tool. 00030 * 00031 * 00032 * How to use this in the install tool: 00033 * 00034 * For each form in the install tool (or link that changes some data), create a 00035 * token and insert is as a hidden form element. The name of the form element 00036 * does not matter; you only need it to get the form token for verifying it. 00037 * 00038 * <pre> 00039 * $formToken = $this->formProtection->generateToken( 00040 * 'installToolPassword', 'change' 00041 * ); 00042 * // then puts the generated form token in a hidden field in the template 00043 * </pre> 00044 * 00045 * The three parameters $formName, $action and $formInstanceName can be 00046 * arbitrary strings, but they should make the form token as specific as 00047 * possible. For different forms (e.g. the password change and editing a the 00048 * configuration), those values should be different. 00049 * 00050 * At the end of the form, you need to persist the tokens. This makes sure that 00051 * generated tokens get saved, and also that removed tokens stay removed: 00052 * 00053 * <pre> 00054 * $this->formProtection()->persistTokens(); 00055 * </pre> 00056 * 00057 * 00058 * When processing the data that has been submitted by the form, you can check 00059 * that the form token is valid like this: 00060 * 00061 * <pre> 00062 * if ($dataHasBeenSubmitted && $this->formProtection()->validateToken( 00063 * (string) $_POST['formToken'], 00064 * 'installToolPassword', 00065 * 'change' 00066 * ) { 00067 * // processes the data 00068 * } else { 00069 * // no need to do anything here as the install tool form protection will 00070 * // create an error message for an invalid token 00071 * } 00072 * </pre> 00073 * 00074 * Note that validateToken invalidates the token with the token ID. So calling 00075 * validate with the same parameters two times in a row will always return FALSE 00076 * for the second call. 00077 * 00078 * It is important that the tokens get validated <em>before</em> the tokens are 00079 * persisted. This makes sure that the tokens that get invalidated by 00080 * validateToken cannot be used again. 00081 * 00082 * $Id$ 00083 * 00084 * @package TYPO3 00085 * @subpackage t3lib 00086 * 00087 * @author Oliver Klee <typo3-coding@oliverklee.de> 00088 */ 00089 class t3lib_formprotection_InstallToolFormProtection extends t3lib_formProtection_Abstract { 00090 /** 00091 * the maximum number of tokens that can exist at the same time 00092 * 00093 * @var integer 00094 */ 00095 protected $maximumNumberOfTokens = 100; 00096 00097 /** 00098 * an instance of the install tool used for displaying messages 00099 * 00100 * @var tx_install 00101 */ 00102 protected $installTool = NULL; 00103 00104 /** 00105 * Frees as much memory as possible. 00106 */ 00107 public function __destruct() { 00108 $this->installTool = NULL; 00109 parent::__destruct(); 00110 } 00111 00112 /** 00113 * Injects the current instance of the install tool. 00114 * 00115 * This instance will be used for displaying messages. 00116 * 00117 * @param tx_install $installTool the current instance of the install tool 00118 * 00119 * @return void 00120 */ 00121 public function injectInstallTool(tx_install $installTool) { 00122 $this->installTool = $installTool; 00123 } 00124 00125 /** 00126 * Creates or displayes an error message telling the user that the submitted 00127 * form token is invalid. 00128 * 00129 * @return void 00130 */ 00131 protected function createValidationErrorMessage() { 00132 $this->installTool->addErrorMessage( 00133 'Validating the security token of this form has failed. ' . 00134 'Please reload the form and submit it again.' 00135 ); 00136 } 00137 00138 /** 00139 * Retrieves all saved tokens. 00140 * 00141 * @return array<array> 00142 * the saved tokens, will be empty if no tokens have been saved 00143 */ 00144 protected function retrieveTokens() { 00145 if (isset($_SESSION['installToolFormTokens']) 00146 && is_array($_SESSION['installToolFormTokens']) 00147 ) { 00148 $tokens = $_SESSION['installToolFormTokens']; 00149 } else { 00150 $tokens = array(); 00151 } 00152 return $tokens; 00153 } 00154 00155 /** 00156 * Saves the tokens so that they can be used by a later incarnation of this 00157 * class. 00158 * 00159 * @return void 00160 */ 00161 public function persistTokens() { 00162 $_SESSION['installToolFormTokens'] = $this->tokens; 00163 } 00164 } 00165 00166 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php'])) { 00167 include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php']); 00168 } 00169 ?>
1.8.0