[BUGFIX] Ensure request body is writable in ServerRequestInstruction

o-ba · o-ba · commit 92bf973eccff · 2025-07-22T11:54:51.000+02:00
When deserializing a ServerRequestInstruction from array data, the body stream was recreated using the originally stored stream mode (e.g. "rb"). This caused a RuntimeException when attempting to write to a read-only stream during deserialization. This patch ensures the stream is always recreated with mode "w+b" to allow writing. The mode is no longer serialized via jsonSerialize, as it is irrelevant and may cause issues on reconstruction. This issue typically did not occur in Core usage, as many claims (e.g. from the user management module) are GET requests with data passed via the query string. However, custom extensions using POST requests with a body payload were affected. Resolves: #107117 Releases: main, 13.4, 12.4 Change-Id: If680406a9beba1dfa99157d71aad26deafcae4a0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90101 Tested-by: core-ci <typo3@b13.com> Tested-by: Oli Bartsch <bo@cedev.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Oli Bartsch <bo@cedev.de> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/backend/Classes/Security/SudoMode/Access/ServerRequestInstruction.php b/typo3/sysext/backend/Classes/Security/SudoMode/Access/ServerRequestInstruction.php
@@ -73,7 +73,7 @@ public static function buildFromArray(array $data): self
         $target->requestTarget = $data['requestTarget'];
         $target->method = $data['method'];
         $target->uri = new Uri($data['uri']);
-        $target->body = new Stream('php://temp', $data['body']['mode']);
+        $target->body = new Stream('php://temp', 'w+b');
         $target->body->write($data['body']['contents']);
         $target->parsedBody = $data['parsedBody'];
         $target->queryParams = $data['queryParams'];
@@ -109,7 +109,6 @@ public function jsonSerialize(): array
             'method' => $this->method,
             'uri' => (string)$this->uri,
             'body' => [
-                'mode' => $this->body->getMetadata('mode'),
                 'contents' => (string)$this->body,
             ],
             'parsedBody' => $this->parsedBody,
diff --git a/typo3/sysext/backend/Tests/Functional/Security/SudoMode/Access/Fixtures/test-content.txt b/typo3/sysext/backend/Tests/Functional/Security/SudoMode/Access/Fixtures/test-content.txt
@@ -0,0 +1 @@
+test-content
diff --git a/typo3/sysext/backend/Tests/Functional/Security/SudoMode/Access/ServerRequestInstructionTest.php b/typo3/sysext/backend/Tests/Functional/Security/SudoMode/Access/ServerRequestInstructionTest.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Backend\Tests\Functional\Security\SudoMode\Access;
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Test;
+use Psr\Http\Message\StreamInterface;
+use TYPO3\CMS\Backend\Security\SudoMode\Access\ServerRequestInstruction;
+use TYPO3\CMS\Core\Http\ServerRequest;
+use TYPO3\CMS\Core\Http\Stream;
+use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
+
+final class ServerRequestInstructionTest extends FunctionalTestCase
+{
+    protected bool $initializeDatabase = false;
+
+    public static function instructionCanBeDehydratedDataProvider(): \Generator
+    {
+        $body = new Stream('php://temp', 'w+b');
+        $body->write('test-content');
+        $body->rewind();
+        yield 'in-memory content' => [$body];
+
+        $body = new Stream(__DIR__ . '/Fixtures/test-content.txt', 'r');
+        $body->rewind();
+        yield 'file content' => [$body];
+    }
+
+    #[Test]
+    #[DataProvider('instructionCanBeDehydratedDataProvider')]
+    public function instructionCanBeDehydrated(StreamInterface $body): void
+    {
+        $headers = ['Content-Type' => ['text/plain']];
+        $request = new ServerRequest('https://example.com', 'POST', $body, $headers);
+        $instruction = ServerRequestInstruction::createForServerRequest($request);
+        $json = json_encode($instruction);
+        $data = json_decode($json, true);
+        $result = ServerRequestInstruction::buildFromArray($data);
+        self::assertEquals($result->getUri(), $instruction->getUri());
+        self::assertSame($result->getMethod(), $instruction->getMethod());
+        self::assertSame($result->getBody()->getContents(), $instruction->getBody()->getContents());
+        self::assertSame($result->getHeaders(), $instruction->getHeaders());
+    }
+}
