[BUGFIX] Use string as hmac context in inline controllers

The order in JSON objects is not defined and the browser can stringify
them in an arbitrary order.

Resolves: #88094
Releases: master, 9.5, 8.7
Change-Id: I6b0ef6cb4e3877aa828578ce70e35dad0779da74
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63786
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

typo3/sysext/backend/Classes/Controller/FormInlineAjaxController.php

@@ -749,10 +749,10 @@ protected function extractSignedParentConfigFromRequest(string $contextString):
         if (empty($context['config'])) {
             throw new \RuntimeException('Empty context config section given', 1489751362);
         }
-        if (!hash_equals(GeneralUtility::hmac(json_encode($context['config']), 'InlineContext'), $context['hmac'])) {
+        if (!hash_equals(GeneralUtility::hmac((string)$context['config'], 'InlineContext'), (string)$context['hmac'])) {
             throw new \RuntimeException('Hash does not validate', 1489751363);
         }
-        return $context['config'];
+        return json_decode($context['config'], true);
     }
 
     /**

typo3/sysext/backend/Classes/Controller/SiteInlineAjaxController.php

@@ -380,10 +380,10 @@ protected function extractSignedParentConfigFromRequest(string $contextString):
         if (empty($context['config'])) {
             throw new \RuntimeException('Empty context config section given', 1522771632);
         }
-        if (!hash_equals(GeneralUtility::hmac(json_encode($context['config']), 'InlineContext'), $context['hmac'])) {
+        if (!hash_equals(GeneralUtility::hmac((string)$context['config'], 'InlineContext'), (string)$context['hmac'])) {
             throw new \RuntimeException('Hash does not validate', 1522771640);
         }
-        return $context['config'];
+        return json_decode($context['config'], true);
     }
 
     /**

typo3/sysext/backend/Classes/Form/Container/InlineControlContainer.php

@@ -176,6 +176,7 @@ public function render()
             'table' => $foreign_table,
             'md5' => md5($nameObject)
         ];
+        $configJson = json_encode($config);
         $this->inlineData['config'][$nameObject . '-' . $foreign_table] = [
             'min' => $config['minitems'],
             'max' => $config['maxitems'],
@@ -185,8 +186,8 @@ public function render()
                 'uid' => $top['uid']
             ],
             'context' => [
-                'config' => $config,
-                'hmac' => GeneralUtility::hmac(json_encode($config), 'InlineContext'),
+                'config' => $configJson,
+                'hmac' => GeneralUtility::hmac($configJson, 'InlineContext'),
             ],
         ];
         $this->inlineData['nested'][$nameObject] = $this->data['tabAndInlineStack'];

typo3/sysext/backend/Tests/Functional/Controller/FormInlineAjaxControllerTest.php

@@ -158,46 +158,43 @@ public function createActionWithExistingLocalizedParentAndNotLocalizableChildRet
      */
     protected function getContextForSysLanguageUid(int $sysLanguageUid): array
     {
-        $context = [
-            'config' => [
-                'type' => 'inline',
-                'foreign_table' => 'tx_irretutorial_1ncsv_offer',
-                'maxitems' => 10,
-                'appearance' => [
-                    'showSynchronizationLink' => 1,
-                    'showAllLocalizationLink' => 1,
-                    'showPossibleLocalizationRecords' => true,
-                    'showRemovedLocalizationRecords' => true,
-                    'levelLinksPosition' => 'top',
-                    'enabledControls' => [
-                        'info' => true,
-                        'new' => true,
-                        'dragdrop' => true,
-                        'sort' => true,
-                        'hide' => true,
-                        'delete' => true,
-                        'localize' => true,
-                    ],
-                ],
-                'behaviour' => [
-                    'localizationMode' => 'none',
-                    'localizeChildrenAtParentLocalization' => true,
-                ],
-                'default' => '',
-                'minitems' => 0,
-                'inline' => [
-                    'parentSysLanguageUid' => $sysLanguageUid,
-                    'first' => false,
-                    'last' => false,
+        $config = [
+            'type' => 'inline',
+            'foreign_table' => 'tx_irretutorial_1ncsv_offer',
+            'maxitems' => 10,
+            'appearance' => [
+                'showSynchronizationLink' => 1,
+                'showAllLocalizationLink' => 1,
+                'showPossibleLocalizationRecords' => true,
+                'showRemovedLocalizationRecords' => true,
+                'levelLinksPosition' => 'top',
+                'enabledControls' => [
+                    'info' => true,
+                    'new' => true,
+                    'dragdrop' => true,
+                    'sort' => true,
+                    'hide' => true,
+                    'delete' => true,
+                    'localize' => true,
                 ],
             ],
+            'behaviour' => [
+                'localizationMode' => 'none',
+                'localizeChildrenAtParentLocalization' => true,
+            ],
+            'default' => '',
+            'minitems' => 0,
+            'inline' => [
+                'parentSysLanguageUid' => $sysLanguageUid,
+                'first' => false,
+                'last' => false,
+            ],
         ];
 
-        return array_merge(
-            $context,
-            [
-                'hmac' => GeneralUtility::hmac(json_encode($context['config']), 'InlineContext'),
-            ]
-        );
+        $configJson = json_encode($config);
+        return [
+            'config' => $configJson,
+            'hmac' => GeneralUtility::hmac($configJson, 'InlineContext'),
+        ];
     }
 }

typo3/sysext/backend/Tests/Unit/Controller/FormInlineAjaxControllerTest.php

@@ -72,9 +72,9 @@ public function createActionThrowsExceptionIfContextConfigSectionDoesNotValidate
                 'ajax' => [
                     'context' => json_encode(
                         [
-                            'config' => [
+                            'config' => json_encode([
                                 'type' => 'inline',
-                            ],
+                            ]),
                             'hmac' => 'anInvalidHash',
                         ]
                     ),
@@ -133,9 +133,9 @@ public function detailsActionThrowsExceptionIfContextConfigSectionDoesNotValidat
                 'ajax' => [
                     'context' => json_encode(
                         [
-                            'config' => [
+                            'config' => json_encode([
                                 'type' => 'inline',
-                            ],
+                            ]),
                             'hmac' => 'anInvalidHash',
                         ]
                     ),
@@ -194,9 +194,9 @@ public function synchronizeLocalizeActionThrowsExceptionIfContextConfigSectionDo
                 'ajax' => [
                     'context' => json_encode(
                         [
-                            'config' => [
+                            'config' => json_encode([
                                 'type' => 'inline',
-                            ],
+                            ]),
                             'hmac' => 'anInvalidHash',
                         ]
                     ),