Skip to content

Commit

Permalink
[BUGFIX] Security Update please update as soon as possible
Browse files Browse the repository at this point in the history
  • Loading branch information
sbusemann committed Nov 2, 2022
1 parent 0d98afc commit cc40e78
Show file tree
Hide file tree
Showing 9 changed files with 141 additions and 10 deletions.
5 changes: 4 additions & 1 deletion Classes/Domain/Validator/AbstractValidator.php
Original file line number Diff line number Diff line change
Expand Up @@ -340,8 +340,11 @@ protected function stringContainsSpaceCharacter($value)
*/
protected function validateInList($value, $validationSettingList)
{
$valueList = GeneralUtility::trimExplode(',', $value, true);
$validationSettings = GeneralUtility::trimExplode(',', $validationSettingList, true);
return in_array($value, $validationSettings);
$diff = array_diff($valueList, $validationSettings);

return empty($diff);
}

/**
Expand Down
14 changes: 14 additions & 0 deletions Classes/Domain/Validator/ServersideValidator.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
use In2code\Femanager\Domain\Model\User;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Extbase\Domain\Model\FileReference;
use TYPO3\CMS\Extbase\Persistence\ObjectStorage;
use TYPO3\CMS\Extbase\Reflection\ObjectAccess;

/**
Expand Down Expand Up @@ -307,6 +308,19 @@ protected function checkAnyValidation($validation, $value, $validationSetting, $
protected function getValue($user, $fieldName)
{
$value = $this->getValueFromProperty($user, $fieldName);

if ($value instanceof ObjectStorage) {
$values = [];

foreach ($value as $object) {
if (method_exists($object, 'getUid')) {
$values[] = $object->getUid();
}
}

return implode(',', $values);
}

if (is_object($value)) {
if (method_exists($value, 'getUid')) {
$value = $value->getUid();
Expand Down
8 changes: 8 additions & 0 deletions Documentation/Changelog/Index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ Changelog
.. t3-field-list-table::
:header-rows: 1

-
:Version: 6.3.3
:Date: 2021-11-02
:Changes:

* [BUGFIX] (!!!) Security Fix - Broken Access Control in Usergroup Validation (Andreas Nedbal - in2code) - thx to TYPO3 Security Team
* [BUGFIX] CleanUserGroup DataProcessor - thx to Daniel Hoffmann (in2code)

-
:Version: 6.3.2
:Date: 2021-10-13
Expand Down
4 changes: 2 additions & 2 deletions Documentation/Index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ Femanager is a TYPO3 extension for a modern Frontend-User registration and profi
.. only:: html

:Copyright:
2013 - 2021
2013 - 2022

:Classification:
femanager

:Version:
6.3.1
6.3.3

:Language:
en
Expand Down
4 changes: 2 additions & 2 deletions Documentation/Settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@

---
conf.py:
copyright: 2013-2021
copyright: 2013-2022
project: Femanager
version: 6
release: 6.3.2
release: 6.3.3
latex_elements:
papersize: a4paper
pointsize: 10pt
Expand Down
20 changes: 20 additions & 0 deletions Tests/Unit/Domain/Validator/AbstractValidatorTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,16 @@ public function validateInListReturnsBoolDataProvider()
'a',
true
],
[
'1,2',
'1,2,3',
true
],
[
'1,2',
'3,2,1',
true
],
[
'23',
'1,234,3',
Expand All @@ -752,6 +762,16 @@ public function validateInListReturnsBoolDataProvider()
'bac',
false
],
[
'1,2,3',
'1,2',
false
],
[
'1,2,3',
'2,1',
false
]
];
}

Expand Down
86 changes: 86 additions & 0 deletions Tests/Unit/Domain/Validator/ServersideValidatorTest.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
<?php

namespace In2code\Femanager\Tests\Unit\Domain\Validator;

use In2code\Femanager\Domain\Model\User;
use In2code\Femanager\Domain\Model\UserGroup;
use In2code\Femanager\Domain\Validator\ServersideValidator;
use Nimut\TestingFramework\TestCase\UnitTestCase;

/**
* Class AbstractValidatorTest
* @coversDefaultClass \In2code\Femanager\Domain\Validator\ServersideValidator
*/
class ServersideValidatorTest extends UnitTestCase
{

/**
* @var \In2code\Femanager\Domain\Validator\ServersideValidator
*/
protected $generalValidatorMock;

/**
* Make object available
*/
public function setUp(): void
{
$this->generalValidatorMock = $this->getAccessibleMock(ServersideValidator::class, ['dummy']);
}

/**
* Remove object
*/
public function tearDown(): void
{
unset($this->generalValidatorMock);
}

/**
* @covers ::getValue
*/
public function testGetValueForObjectStorage(): void
{
$user = new User();

$usergroup1 = $this->getUserGroupMock(1);
$usergroup2 = $this->getUserGroupMock(2);

$user->addUsergroup($usergroup1);
$user->addUsergroup($usergroup2);

$fieldName = 'usergroup';

$result = $this->generalValidatorMock->_callRef('getValue', $user, $fieldName);

self::assertSame('1,2', $result);
}

/**
* @covers ::getValue
*/
public function testGetValueForObject(): void
{
$user = new User('testuser');

$fieldName = 'username';

$result = $this->generalValidatorMock->_callRef('getValue', $user, $fieldName);

self::assertSame('testuser', $result);
}

/**
* @param int $uid
* @return UserGroup&\PHPUnit\Framework\MockObject\MockObject|\PHPUnit\Framework\MockObject\MockObject
*/
protected function getUserGroupMock(int $uid = 1)
{
$mockClass = $this->getMockBuilder(UserGroup::class)
->disableOriginalConstructor()
->getMock();

$mockClass->method('getUid')->willReturn($uid);

return $mockClass;
}
}
2 changes: 1 addition & 1 deletion ext_emconf.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
'modify_tables' => '',
'clearCacheOnLoad' => 0,
'lockType' => '',
'version' => '6.3.2',
'version' => '6.3.3',
'constraints' => [
'depends' => [
'typo3' => '10.0.0-10.4.99',
Expand Down
8 changes: 4 additions & 4 deletions readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ Also official support (fee-based) is possible within the EAP.

This is the current status of the EAP features:

| Femanager | TYPO3 | PHP | Support/Development | Status |
|-----------|--------|---------------|----------------------|----------------|
| 7.1 | 11 LTS | 7.4, 8.0, 8.1 | Support for PHP 8 | in development |
| 8.0 | 12 | 8 | Support for TYPO3 12 | planned |
| Femanager | TYPO3 | PHP | Support/Development | Status |
|-----------|--------|---------------|----------------------|-----------|
| 7.1 | 11 LTS | 7.4, 8.0, 8.1 | Support for PHP 8 | available |
| 8.0 | 12 | 8 | Support for TYPO3 12 | planned |


## Your Contribution
Expand Down

0 comments on commit cc40e78

Please sign in to comment.