[TASK] Replace GeneralUtility::hmac usage in ext:frontend

With #102761, the new `HashService` has been introduced to ensure that HMAC generation will always use an additional secret. As a follow-up patch, `GeneralUtility::hmac` will be deprecated when all usages in the core have been replaced with the new `HashService`. With this change, usages of `GeneralUtility::hmac` in ext:frontend are replaced by the new HashService. Resolves: #103250 Related: #102761 Related: #103245 Releases: main Change-Id: I077cf02a170178c750662c8491bf725ce234c036 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83260 Reviewed-by: Benni Mack <benni@typo3.org> Tested-by: core-ci <typo3@b13.com> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Benni Mack <benni@typo3.org>
TYPO3 · Mar 8, 2024 · baa183c · baa183c
1 parent 5140349
commit baa183c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
@@ -29,6 +29,7 @@
 use TYPO3\CMS\Core\Context\Context;
 use TYPO3\CMS\Core\Context\LanguageAspect;
 use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Crypto\HashService;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\Expression\ExpressionBuilder;
 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
@@ -899,7 +900,8 @@ public function imageLinkWrap($string, $imageFile, $conf)
                 }
             }
             $parametersEncoded = base64_encode((string)json_encode($parameters));
-            $hmac = GeneralUtility::hmac(implode('|', [$file->getUid(), $parametersEncoded]));
+            $hashService = GeneralUtility::makeInstance(HashService::class);
+            $hmac = $hashService->hmac(implode('|', [$file->getUid(), $parametersEncoded]), 'tx_cms_showpic');
             $params = '&md5=' . $hmac;
             foreach (str_split($parametersEncoded, 64) as $index => $chunk) {
                 $params .= '&parameters' . rawurlencode('[') . $index . rawurlencode(']') . '=' . rawurlencode($chunk);

diff --git a/typo3/sysext/frontend/Classes/Controller/ShowImageController.php b/typo3/sysext/frontend/Classes/Controller/ShowImageController.php
@@ -19,6 +19,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Crypto\HashService;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Resource\File;
@@ -131,7 +132,8 @@ public function initialize()
 
         /* For backwards compatibility the HMAC is transported within the md5 param */
         $hmacParameter = $this->request->getQueryParams()['md5'] ?? null;
-        $hmac = GeneralUtility::hmac(implode('|', [$fileUid, $parametersEncoded]));
+        $hashService = GeneralUtility::makeInstance(HashService::class);
+        $hmac = $hashService->hmac(implode('|', [$fileUid, $parametersEncoded]), 'tx_cms_showpic');
         if (!is_string($hmacParameter) || !hash_equals($hmac, $hmacParameter)) {
             throw new \InvalidArgumentException('hash does not match', 1476048456);
         }

diff --git a/typo3/sysext/frontend/Tests/Functional/Controller/ShowImageControllerTest.php b/typo3/sysext/frontend/Tests/Functional/Controller/ShowImageControllerTest.php
@@ -22,6 +22,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Crypto\HashService;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
@@ -63,24 +64,26 @@ protected function tearDown(): void
 
     public static function contentIsGeneratedForLocalFilesDataProvider(): \Generator
     {
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = self::ENCRYPTION_KEY;
         $fileId = 13;
         $parameters = [];
-        $serializedParameters = base64_encode(serialize($parameters));
-        $jsonEncodedParameters = base64_encode(json_encode($parameters));
+        $serializedParameters = serialize($parameters);
+        $jsonEncodedParameters = json_encode($parameters);
+        $hashService = GeneralUtility::makeInstance(HashService::class);
         yield 'numeric fileId, json encoded' => [
             $fileId,
             [
                 'file' => $fileId,
                 'parameters' => [$jsonEncodedParameters],
-                'md5' => hash_hmac('sha1', implode('|', [$fileId, $jsonEncodedParameters]), self::ENCRYPTION_KEY),
+                'md5' => $hashService->hmac(implode('|', [$fileId, $jsonEncodedParameters]), 'tx_cms_showpic'),
             ],
         ];
         yield 'numeric fileId, outdated (valid) PHP encoded' => [
             $fileId,
             [
                 'file' => $fileId,
                 'parameters' => [$serializedParameters],
-                'md5' => hash_hmac('sha1', implode('|', [$fileId, $serializedParameters]), self::ENCRYPTION_KEY),
+                'md5' => $hashService->hmac(implode('|', [$fileId, $serializedParameters]), 'tx_cms_showpic'),
             ],
         ];
     }