-
Notifications
You must be signed in to change notification settings - Fork 674
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Avoid disclosing loaded extensions
Inline JavaScript settings for RequireJS and ajaxUrls disclose the existence of specific extensions in a TYPO3 installation. In case no backend user is logged in RequireJS settings are fetched using an according endpoint, ajaxUrls (for backend AJAX routes) are limited to those that are accessible without having a user session. Resolves: #83855 Releases: master, 9.5, 8.7 Security-Commit: af76c928bbe6fe05611db0839da879fce132daff Security-Bulletin: TYPO3-CORE-SA-2019-001 Change-Id: I90dddd2fd3fd81834cd40c8638fa487fa106b07c Reviewed-on: https://review.typo3.org/59520 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
6 changed files
with
442 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
typo3/sysext/core/Classes/Controller/RequireJsController.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| <?php | ||
| declare(strict_types = 1); | ||
| namespace TYPO3\CMS\Core\Controller; | ||
|
|
||
| /* | ||
| * This file is part of the TYPO3 CMS project. | ||
| * | ||
| * It is free software; you can redistribute it and/or modify it under | ||
| * the terms of the GNU General Public License, either version 2 | ||
| * of the License, or any later version. | ||
| * | ||
| * For the full copyright and license information, please read the | ||
| * LICENSE.txt file that was distributed with this source code. | ||
| * | ||
| * The TYPO3 project - inspiring people to share! | ||
| */ | ||
|
|
||
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Http\Message\ServerRequestInterface; | ||
| use TYPO3\CMS\Core\Http\JsonResponse; | ||
| use TYPO3\CMS\Core\Page\PageRenderer; | ||
| use TYPO3\CMS\Core\Utility\GeneralUtility; | ||
|
|
||
| /** | ||
| * Handling requirejs client requests. | ||
| */ | ||
| class RequireJsController | ||
| { | ||
| /** | ||
| * @var PageRenderer | ||
| */ | ||
| protected $pageRenderer; | ||
|
|
||
| public function __construct() | ||
| { | ||
| $this->pageRenderer = GeneralUtility::makeInstance(PageRenderer::class); | ||
| } | ||
|
|
||
| /** | ||
| * Retrieves additional requirejs configuration for a given module name or module path. | ||
| * | ||
| * The JSON result e.g. could look like: | ||
| * { | ||
| * "shim": { | ||
| * "vendor/module": ["exports" => "TheModule"] | ||
| * }, | ||
| * "paths": { | ||
| * "vendor/module": "/public/web/path/" | ||
| * }, | ||
| * "packages": { | ||
| * [ | ||
| * "name": "module", | ||
| * ... | ||
| * ] | ||
| * } | ||
| * } | ||
| * | ||
| * Parameter name either could be the module name ("vendor/module") or a | ||
| * module path ("vendor/module/component") belonging to a module. | ||
| * | ||
| * @param ServerRequestInterface $request | ||
| * @return ResponseInterface | ||
| */ | ||
| public function retrieveConfiguration(ServerRequestInterface $request): ResponseInterface | ||
| { | ||
| $name = $request->getQueryParams()['name'] ?? null; | ||
| if (empty($name) || !is_string($name)) { | ||
| return new JsonResponse(null, 404); | ||
| } | ||
| $configuration = $this->findConfiguration($name); | ||
| return new JsonResponse($configuration, !empty($configuration) ? 200 : 404); | ||
| } | ||
|
|
||
| /** | ||
| * @param string $name | ||
| * @return array | ||
| */ | ||
| protected function findConfiguration(string $name): array | ||
| { | ||
| $relevantConfiguration = []; | ||
| $this->pageRenderer->loadRequireJs(); | ||
| $configuration = $this->pageRenderer->getRequireJsConfig(PageRenderer::REQUIREJS_SCOPE_RESOLVE); | ||
|
|
||
| $shim = $configuration['shim'] ?? []; | ||
| foreach ($shim as $baseModuleName => $baseModuleConfiguration) { | ||
| if (strpos($name . '/', $baseModuleName . '/') === 0) { | ||
| $relevantConfiguration['shim'][$baseModuleName] = $baseModuleConfiguration; | ||
| } | ||
| } | ||
|
|
||
| $paths = $configuration['paths'] ?? []; | ||
| foreach ($paths as $baseModuleName => $baseModulePath) { | ||
| if (strpos($name . '/', $baseModuleName . '/') === 0) { | ||
| $relevantConfiguration['paths'][$baseModuleName] = $baseModulePath; | ||
| } | ||
| } | ||
|
|
||
| $packages = $configuration['packages'] ?? []; | ||
| foreach ($packages as $package) { | ||
| if (!empty($package['name']) | ||
| && strpos($name . '/', $package['name'] . '/') === 0 | ||
| ) { | ||
| $relevantConfiguration['packages'][] = $package; | ||
| } | ||
| } | ||
|
|
||
| return $relevantConfiguration; | ||
| } | ||
| } |
Oops, something went wrong.