TYPO3 Formhandler HashService Interceptor
<?php | |
/* * | |
* This script is part of the TYPO3 project - inspiring people to share! * | |
* * | |
* TYPO3 is free software; you can redistribute it and/or modify it under * | |
* the terms of the GNU General Public License version 2 as published by * | |
* the Free Software Foundation. * | |
* * | |
* This script is distributed in the hope that it will be useful, but * | |
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHAN- * | |
* TABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General * | |
* Public License for more details. * | |
* */ | |
/** | |
* An interceptor which is able to validate GET/POST variables with the | |
* TYPO3 Extbase HashService. | |
* | |
* NOTE: Make sure you use PreProcessor_LoadGetPost before using this interceptor! | |
* | |
* Example: | |
* <code> | |
* initInterceptors.1.class = Tx_Formhandler_Interceptor_HashService | |
* | |
* initInterceptors.1.config.redirectPage = 17 | |
* | |
* initInterceptors.1.config.validateHmac.fields.uid1 = hmacForUid1 | |
* initInterceptors.1.config.validateHmac.fields.uid2 = hmacForUid2 | |
* | |
* initInterceptors.1.config.validateAndStripHmac.fields.1 = appendedHmacString1 | |
* initInterceptors.1.config.validateAndStripHmac.fields.2 = appendedHmacString2 | |
* | |
* </code> | |
* | |
* The validateHmac configuration checks, if the the GP var hmacForUid1 is the | |
* correct HMAC for the GP var uid1 | |
* | |
* The validateAndStripHmac configuration checks, if the the GP var appendedHmacString1 | |
* is a HMAC string that can be validated | |
* | |
* @author Torben Hansen <derhansen@gmail.com> | |
*/ | |
class Tx_Formhandler_Interceptor_HashService extends Tx_Formhandler_AbstractInterceptor { | |
/** | |
* The main method called by the controller | |
* | |
* @return array The GET/POST parameters | |
*/ | |
public function process() { | |
if (!$this->validateGPVars()) { | |
if ($this->settings['redirectPage']) { | |
$this->globals->getSession()->reset(); | |
$this->utilityFuncs->doRedirectBasedOnSettings($this->settings, $this->gp); | |
return 'Given GET/POST vars could not be validated'; | |
} else { | |
$content = 'Given GET/POST vars could not be validated'; | |
$this->globals->getSession()->reset(); | |
return $content; | |
} | |
} | |
return $this->gp; | |
} | |
/** | |
* Performs HMAC validation for the configured GET/POST variables | |
* | |
* @return bool TRUE, if successfull, else FALSE | |
*/ | |
public function validateGPVars(){ | |
$hashService = new \TYPO3\CMS\Extbase\Security\Cryptography\HashService(); | |
// Checks if validateHmac is configured and validates each string/hmac | |
if (is_array($this->settings['validateHmac.'])) { | |
foreach ($this->settings['validateHmac.']['fields.'] as $fieldName => $hmac) { | |
if (is_null($this->gp[$fieldName]) || is_null($this->gp[$hmac])) { | |
return FALSE; | |
} | |
$result = $hashService->validateHmac($this->gp[$fieldName], $this->gp[$hmac]); | |
if (!$result) { | |
return FALSE; | |
} | |
} | |
} | |
// Checks if validateAndStripHmac is configured and validates the given hmacs | |
if (is_array($this->settings['validateAndStripHmac.'])) { | |
foreach ($this->settings['validateAndStripHmac.']['fields.'] as $fieldNum => $appendedHmac) { | |
if (is_null($this->gp[$appendedHmac])) { | |
return FALSE; | |
} | |
try { | |
$hashService->validateAndStripHmac($this->gp[$appendedHmac]); | |
} catch(\Exception $e) { | |
return FALSE; | |
} | |
} | |
} | |
return TRUE; | |
} | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment