[TASK] Define callable controller actions

Several custom controller implementations allow calling internal *Action methods. In order to avoid unintended behavior and to streamline the application flow those invocations are defined now explicitly. ManagementController just had one possible action method and has been simplified in this regard. Resolves: #91564 Releases: master, 10.4, 9.5 Change-Id: I9092088ba66504562b42c522883c022955fa6f36 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64776 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
TYPO3 · Oct 2, 2020 · 38e75d9 · 38e75d9
1 parent 505fe2d
commit 38e75d9
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/HelpController.php b/typo3/sysext/backend/Classes/Controller/HelpController.php
@@ -36,6 +36,8 @@
  */
 class HelpController
 {
+    protected const ALLOWED_ACTIONS = ['index', 'all', 'detail'];
+
     /**
      * Section identifiers
      */
@@ -86,6 +88,10 @@ public function handleRequest(ServerRequestInterface $request): ResponseInterfac
             }
         }
 
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
 
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);

diff --git a/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php b/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
@@ -56,6 +56,8 @@
  */
 class SiteConfigurationController
 {
+    protected const ALLOWED_ACTIONS = ['overview', 'edit', 'save', 'delete'];
+
     /**
      * @var ModuleTemplate
      */
@@ -94,7 +96,13 @@ public function handleRequest(ServerRequestInterface $request): ResponseInterfac
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/ContextMenu');
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/Modal');
         $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
+
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
+
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);
         if ($result instanceof ResponseInterface) {
             return $result;

diff --git a/typo3/sysext/redirects/Classes/Controller/ManagementController.php b/typo3/sysext/redirects/Classes/Controller/ManagementController.php
@@ -81,13 +81,9 @@ public function __construct()
     public function handleRequest(ServerRequestInterface $request): ResponseInterface
     {
         $this->request = $request;
-        $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
-        $this->initializeView($action);
+        $this->initializeView('overview');
 
-        $result = call_user_func_array([$this, $action . 'Action'], [$request]);
-        if ($result instanceof ResponseInterface) {
-            return $result;
-        }
+        $this->overviewAction($request);
         $this->moduleTemplate->setContent($this->view->render());
         return new HtmlResponse($this->moduleTemplate->renderContent());
     }