Skip to content

Commit

Permalink
[TASK] Switch to json_encode for file folder tree
Browse files Browse the repository at this point in the history 
Scalar values sent via HTTP query parameters to
FileSystemNavigationFrameController are using `json_encode` instead
of `unserialize`. The parameter stream is still secured with an HMAC
before being deserialized.

Resolves: #91548
Releases: master, 10.4, 9.5
Change-Id: I57be68aac1787bdc27f2bbae40f8d71b1b33f79f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64624
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
  • Loading branch information
@ohader @andreaskienast
ohader authored and andreaskienast committed Jun 2, 2020
1 parent c1506d6 commit d46a06b
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Controller/FileSystemNavigationFrameController.php
View file
Expand Up @@ -120,7 +120,7 @@ protected function init(ServerRequestInterface $request)
$scopeHash = $parsedBody['scopeHash'] ?? $queryParams['scopeHash'] ?? '';

if (!empty($scopeData) && hash_equals(GeneralUtility::hmac($scopeData), $scopeHash)) {
$this->scopeData = unserialize($scopeData);
$this->scopeData = json_decode($scopeData, true);
}

// Create folder tree object:
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php
View file
Expand Up @@ -139,7 +139,7 @@ public function PMiconATagWrap($icon, $cmd, $isExpand = true)

if ($this->thisScript) {
// Activates dynamic AJAX based tree
$scopeData = serialize($this->scope);
$scopeData = json_encode($this->scope);
$scopeHash = GeneralUtility::hmac($scopeData);
$js = htmlspecialchars('Tree.load(' . GeneralUtility::quoteJSvalue($cmd) . ', ' . (int)$isExpand . ', this, ' . GeneralUtility::quoteJSvalue($scopeData) . ', ' . GeneralUtility::quoteJSvalue($scopeHash) . ');');
return '<a class="list-tree-control' . (!$isExpand ? ' list-tree-control-open' : ' list-tree-control-closed') . '" onclick="' . $js . '"><i class="fa"></i></a>';
Expand Down

0 comments on commit d46a06b

Please sign in to comment.