|
TYPO3 API
SVNRelease
|
Public Member Functions | |
| injectHashService (Tx_Extbase_Security_Cryptography_HashService $hashService) | |
| generateRequestHash ($formFieldNames, $fieldNamePrefix= '') | |
| verifyRequest (Tx_Extbase_MVC_Web_Request $request) | |
Protected Member Functions | |
| serializeAndHashFormFieldArray ($formFieldArray) | |
| checkFieldNameInclusion (array $requestArguments, array $allowedFields) | |
Protected Attributes | |
| $hashService | |
This is a Service which can generate a request hash and check whether the currently given arguments fit to the request hash.
It is used when forms are generated and submitted: After a form has been generated, the method "generateRequestHash" is called with the names of all form fields. It cleans up the array of form fields and creates another representation of it, which is then serialized and hashed.
Both serialized form field list and the added hash form the request hash, which will be sent over the wire (as an argument __hmac).
On the validation side, the validation happens in two steps: 1) Check if the request hash is consistent (the hash value fits to the serialized string) 2) Check that _all_ GET/POST parameters submitted occur inside the form field list of the request hash.
Note: It is crucially important that a private key is computed into the hash value! This is done inside the HashService.
http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License, version 3 or later
Definition at line 47 of file RequestHashService.php.
| Tx_Extbase_Security_Channel_RequestHashService::checkFieldNameInclusion | ( | array $ | requestArguments, |
| array $ | allowedFields | ||
| ) | [protected] |
Check if every element in $requestArguments is in $allowedFields as well.
| array | $requestArguments | |
| array | $allowedFiels |
Definition at line 165 of file RequestHashService.php.
Referenced by verifyRequest().
| Tx_Extbase_Security_Channel_RequestHashService::generateRequestHash | ( | $ | formFieldNames, |
| $ | fieldNamePrefix = '' |
||
| ) |
Generate a request hash for a list of form fields
| array | $formFieldNames | Array of form fields |
Definition at line 70 of file RequestHashService.php.
References serializeAndHashFormFieldArray().
| Tx_Extbase_Security_Channel_RequestHashService::injectHashService | ( | Tx_Extbase_Security_Cryptography_HashService $ | hashService | ) |
| Tx_Extbase_Security_Cryptography_HashService | $hashService |
Definition at line 58 of file RequestHashService.php.
References $hashService.
| Tx_Extbase_Security_Channel_RequestHashService::serializeAndHashFormFieldArray | ( | $ | formFieldArray | ) | [protected] |
Serialize and hash the form field array
| array | $formFieldArray | form field array to be serialized and hashed |
Definition at line 118 of file RequestHashService.php.
Referenced by generateRequestHash().
| Tx_Extbase_Security_Channel_RequestHashService::verifyRequest | ( | Tx_Extbase_MVC_Web_Request $ | request | ) |
Verify the request. Checks if there is an __hmac argument, and if yes, tries to validate and verify it.
In the end, $request->setHmacVerified is set depending on the value.
| \F3\FLOW3\MVC\Web\Request | $request The request to verify |
Definition at line 131 of file RequestHashService.php.
References checkFieldNameInclusion(), Tx_Extbase_MVC_Request\getArgument(), Tx_Extbase_MVC_Request\getArguments(), Tx_Extbase_MVC_Request\hasArgument(), and Tx_Extbase_MVC_Web_Request\setHmacVerified().
Referenced by Tx_Extbase_Tests_Unit_Security_Channel_RequestHashServiceTest\verifyRequestHashSetsHmacVerifiedToFalseIfRequestDoesNotHaveAnHmacArgument(), and Tx_Extbase_Tests_Unit_Security_Channel_RequestHashServiceTest\verifyRequestHashThrowsExceptionIfHmacIsShortherThan40Characters().
Tx_Extbase_Security_Channel_RequestHashService::$hashService [protected] |
Definition at line 52 of file RequestHashService.php.
Referenced by injectHashService().
1.7.5.1