Index: typo3/class.alt_menu_functions.inc
===================================================================
--- typo3/class.alt_menu_functions.inc (Revision 10152)
+++ typo3/class.alt_menu_functions.inc (Arbeitskopie)
@@ -599,7 +599,11 @@
$functions[]=array(
'id' => 'temp_CACHED',
'title' => $title,
- 'href' => $backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')).'&cacheCmd=temp_CACHED',
+ 'href' => $backPath .
+ 'tce_db.php?vC=' . $BE_USER->veriCode() .
+ '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')) .
+ '&cacheCmd=temp_CACHED' .
+ t3lib_BEfunc::getUrlToken('tceAction'),
'icon' => ''
);
}
@@ -609,7 +613,10 @@
$functions[]=array(
'id' => 'all',
'title' => $title,
- 'href' => $backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')).'&cacheCmd=all',
+ 'href' => $backPath . 'tce_db.php?vC=' . $BE_USER->veriCode() .
+ '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT')) .
+ '&cacheCmd=all' .
+ t3lib_BEfunc::getUrlToken('tceAction'),
'icon' => ''
);
Index: typo3/classes/class.clearcachemenu.php
===================================================================
--- typo3/classes/class.clearcachemenu.php (Revision 10152)
+++ typo3/classes/class.clearcachemenu.php (Arbeitskopie)
@@ -63,7 +63,11 @@
$this->cacheActions[] = array(
'id' => 'all',
'title' => $title,
- 'href' => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=all',
+ 'href' => $this->backPath .
+ 'tce_db.php?vC=' .
+ $GLOBALS['BE_USER']->veriCode() .
+ '&cacheCmd=all&ajaxCall=1' .
+ t3lib_BEfunc::getUrlToken('tceAction'),
'icon' => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-high')
);
}
@@ -74,7 +78,11 @@
$this->cacheActions[] = array(
'id' => 'pages',
'title' => $title,
- 'href' => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=pages',
+ 'href' => $this->backPath .
+ 'tce_db.php?vC=' .
+ $GLOBALS['BE_USER']->veriCode() .
+ '&cacheCmd=pages&ajaxCall=1' .
+ t3lib_BEfunc::getUrlToken('tceAction'),
'icon' => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-medium')
);
}
@@ -85,7 +93,11 @@
$this->cacheActions[] = array(
'id' => 'temp_CACHED',
'title' => $title,
- 'href' => $this->backPath.'tce_db.php?vC='.$GLOBALS['BE_USER']->veriCode().'&cacheCmd=temp_CACHED',
+ 'href' => $this->backPath .
+ 'tce_db.php?vC=' .
+ $GLOBALS['BE_USER']->veriCode() .
+ '&cacheCmd=temp_CACHED&ajaxCall=1' .
+ t3lib_BEfunc::getUrlToken('tceAction'),
'icon' => t3lib_iconWorks::getSpriteIcon('actions-system-cache-clear-impact-low')
);
}
@@ -103,6 +115,7 @@
}
}
+ t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
}
/**
@@ -176,4 +189,4 @@
include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['typo3/classes/class.clearcachemenu.php']);
}
-?>
\ No newline at end of file
+?>
Index: typo3/tce_db.php
===================================================================
--- typo3/tce_db.php (Revision 10152)
+++ typo3/tce_db.php (Arbeitskopie)
@@ -246,8 +246,23 @@
// Include files?
foreach($SOBE->include_once as $INC_FILE) include_once($INC_FILE);
-$SOBE->initClipboard();
-$SOBE->main();
+$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+
+if ($formprotection->validateToken(t3lib_div::_GP('formToken'), 'tceAction')) {
+ $SOBE->initClipboard();
+ $SOBE->main();
+
+ // This is done for the clear cache menu, so that it gets a new token
+ // making it possible to clear cache several times.
+ if (t3lib_div::_GP('ajaxCall')) {
+ $token = array();
+ $token['value'] = $formprotection->generateToken('tceAction');
+ $token['name'] = 'formToken';
+ // This will be used by clearcachemenu.js to replace the token for the next call
+ echo t3lib_BEfunc::getUrlToken('tceAction');
+ }
+}
+$formprotection->persistTokens();
$SOBE->finish();
?>
Index: typo3/mod.php
===================================================================
--- typo3/mod.php (Revision 10152)
+++ typo3/mod.php (Arbeitskopie)
@@ -65,4 +65,7 @@
if ($isDispatched === FALSE) {
die('Value "' . htmlspecialchars($temp_M) . '" for "M" was not found as a module');
}
+
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
+
?>
\ No newline at end of file
Index: typo3/template.php
===================================================================
--- typo3/template.php (Revision 10152)
+++ typo3/template.php (Arbeitskopie)
@@ -423,11 +423,15 @@
*/
function issueCommand($params,$rUrl='') {
$rUrl = $rUrl ? $rUrl : t3lib_div::getIndpEnv('REQUEST_URI');
- return $this->backPath.'tce_db.php?'.
- $params.
- '&redirect='.($rUrl==-1?"'+T3_THIS_LOCATION+'":rawurlencode($rUrl)).
- '&vC='.rawurlencode($GLOBALS['BE_USER']->veriCode()).
+ $commandUrl = $this->backPath.'tce_db.php?' .
+ $params .
+ '&redirect=' . ($rUrl==-1 ? "'+T3_THIS_LOCATION+'" : rawurlencode($rUrl)) .
+ '&vC='.rawurlencode($GLOBALS['BE_USER']->veriCode()) .
+ t3lib_BEfunc::getUrlToken('tceAction') .
'&prErr=1&uPT=1';
+
+ t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
+ return $commandUrl;
}
/**
@@ -1556,12 +1560,17 @@
this.selectedIndex=0;
} else if (this.options[this.selectedIndex].value.indexOf(\';\')!=-1) {
eval(this.options[this.selectedIndex].value);
- }else{
- window.location.href=\''.$this->backPath.'tce_db.php?vC='.$BE_USER->veriCode().'&redirect='.rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')).'&cacheCmd=\'+this.options[this.selectedIndex].value;
+ } else {
+ window.location.href=\'' . $this->backPath .
+ 'tce_db.php?vC=' . $BE_USER->veriCode() .
+ t3lib_BEfunc::getUrlToken('tceAction') .
+ '&redirect=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')) .
+ '&cacheCmd=\'+this.options[this.selectedIndex].value;
}';
$af_content = '';
if (count($opt)>1) {
+ t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
return $af_content;
}
}
Index: typo3/backend.php
===================================================================
--- typo3/backend.php (Revision 10152)
+++ typo3/backend.php (Arbeitskopie)
@@ -38,7 +38,6 @@
require('classes/class.shortcutmenu.php');
require('classes/class.livesearch.php');
-require_once('class.alt_menu_functions.inc');
$GLOBALS['LANG']->includeLLFile('EXT:lang/locallang_misc.xml');
Index: typo3/db_new.php
===================================================================
--- typo3/db_new.php (Revision 10152)
+++ typo3/db_new.php (Arbeitskopie)
@@ -733,5 +733,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/wizard_rte.php
===================================================================
--- typo3/wizard_rte.php (Revision 10152)
+++ typo3/wizard_rte.php (Arbeitskopie)
@@ -198,7 +198,8 @@
// Adding hidden fields:
$formContent.= '
- ';
+ ' .
+ t3lib_TCEforms::getHiddenTokenField('tceAction');
// Finally, add the whole setup:
@@ -338,5 +339,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/list/mod1/index.php
===================================================================
--- typo3/sysext/list/mod1/index.php (Revision 10152)
+++ typo3/sysext/list/mod1/index.php (Arbeitskopie)
@@ -513,5 +513,6 @@
$SOBE->clearCache();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/lowlevel/dbint/index.php
===================================================================
--- typo3/sysext/lowlevel/dbint/index.php (Revision 10152)
+++ typo3/sysext/lowlevel/dbint/index.php (Arbeitskopie)
@@ -694,5 +694,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/cms/layout/db_layout.php
===================================================================
--- typo3/sysext/cms/layout/db_layout.php (Revision 10152)
+++ typo3/sysext/cms/layout/db_layout.php (Arbeitskopie)
@@ -445,7 +445,7 @@
function deleteRecord(table,id,url) { //
if (confirm('.$LANG->JScharCode($LANG->getLL('deleteWarning')).')) {
- window.location.href = "'.$BACK_PATH.'tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC='.$BE_USER->veriCode().'&prErr=1&uPT=1";
+ window.location.href = "'.$BACK_PATH.'tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC=' . $BE_USER->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . '&prErr=1&uPT=1";
}
return false;
}
@@ -902,7 +902,7 @@
- ';
+ ' . t3lib_TCEforms::getHiddenTokenField('tceAction');
// Add JavaScript as needed around the form:
$theCode=$tceforms->printNeededJSFunctions_top().$theCode.$tceforms->printNeededJSFunctions();
@@ -1413,5 +1413,6 @@
$SOBE->clearCache();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
\ No newline at end of file
Index: typo3/sysext/info/mod1/index.php
===================================================================
--- typo3/sysext/info/mod1/index.php (Revision 10152)
+++ typo3/sysext/info/mod1/index.php (Arbeitskopie)
@@ -233,5 +233,6 @@
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/taskcenter/task/index.php
===================================================================
--- typo3/sysext/taskcenter/task/index.php (Revision 10152)
+++ typo3/sysext/taskcenter/task/index.php (Arbeitskopie)
@@ -534,5 +534,6 @@
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/perm/mod1/index.php
===================================================================
--- typo3/sysext/perm/mod1/index.php (Revision 10152)
+++ typo3/sysext/perm/mod1/index.php (Arbeitskopie)
@@ -516,7 +516,7 @@
'.
'
- ';
+ ' . t3lib_TCEforms::getHiddenTokenField('tceAction');
// Adding section with the permission setting matrix:
$this->content.=$this->doc->divider(5);
@@ -851,5 +851,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/sysext/version/ws/index.php
===================================================================
--- typo3/sysext/version/ws/index.php (Revision 10152)
+++ typo3/sysext/version/ws/index.php (Arbeitskopie)
@@ -749,10 +749,10 @@
// $BE_USER->isInWebMount() to check mount points.
$mountpointList = $GLOBALS['BE_USER']->groupData['webmounts'];
// If there are DB mountpoints in the workspace record,
- // then only show the ones that are allowed there (and that are in the users' webmounts)
+ // then only show the ones that are allowed there (and that are in the users' webmounts)
if (trim($wksp['db_mountpoints'])) {
$userMountpoints = explode(',', $mountpointList);
- // now filter the users' to only keep the mountpoints
+ // now filter the users' to only keep the mountpoints
// that are also in the workspaces' db_mountpoints
$workspaceMountpoints = explode(',', $wksp['db_mountpoints']);
$filteredMountpoints = array_intersect($userMountpoints, $workspaceMountpoints);
@@ -803,10 +803,10 @@
// $BE_USER->isInWebMount() to check mount points.
$mountpointList = implode(',', $GLOBALS['BE_USER']->groupData['filemounts']);
// If there are file mountpoints in the workspace record,
- // then only show the ones that are allowed there (and that are in the users' file mounts)
+ // then only show the ones that are allowed there (and that are in the users' file mounts)
if (trim($wksp['file_mountpoints'])) {
$userMountpoints = explode(',', $mountpointList);
- // now filter the users' to only keep the mountpoints
+ // now filter the users' to only keep the mountpoints
// that are also in the workspaces' file_mountpoints
$workspaceMountpoints = explode(',', $wksp['file_mountpoints']);
$filteredMountpoints = array_intersect($userMountpoints, $workspaceMountpoints);
@@ -1090,5 +1090,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
\ No newline at end of file
Index: typo3/sysext/version/cm1/index.php
===================================================================
--- typo3/sysext/version/cm1/index.php (Revision 10152)
+++ typo3/sysext/version/cm1/index.php (Arbeitskopie)
@@ -534,7 +534,7 @@
-
+ ' . t3lib_TCEforms::getHiddenTokenField('tceAction') . '
';
@@ -1853,5 +1853,6 @@
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
\ No newline at end of file
Index: typo3/move_el.php
===================================================================
--- typo3/move_el.php (Revision 10152)
+++ typo3/move_el.php (Arbeitskopie)
@@ -130,7 +130,11 @@
* @return string Onclick attribute content
*/
function onClickEvent($pid,$newPagePID) {
- return 'window.location.href=\'tce_db.php?cmd[pages]['.$GLOBALS['SOBE']->moveUid.']['.$this->moveOrCopy.']='.$pid.'&redirect='.rawurlencode($this->R_URI).'&prErr=1&uPT=1&vC='.$GLOBALS['BE_USER']->veriCode().'\';return false;';
+ return 'window.location.href=\'tce_db.php?cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid .
+ '&redirect=' . rawurlencode($this->R_URI) .
+ '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() .
+ t3lib_BEfunc::getUrlToken('tceAction') .
+ '\';return false;';
}
/**
@@ -462,5 +466,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/alt_menu.php
===================================================================
--- typo3/alt_menu.php (Revision 10152)
+++ typo3/alt_menu.php (Arbeitskopie)
@@ -224,5 +224,6 @@
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: typo3/alt_doc.php
===================================================================
--- typo3/alt_doc.php (Revision 10152)
+++ typo3/alt_doc.php (Arbeitskopie)
@@ -483,7 +483,7 @@
if (
'.($GLOBALS['BE_USER']->jsConfirmation(4)?'confirm('.$LANG->JScharCode($LANG->getLL('deleteWarning')).')':'1==1').'
) {
- window.location.href = "tce_db.php?cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC='.$BE_USER->veriCode().'&prErr=1&uPT=1";
+ window.location.href = "tce_db.php?cmd["+table+"]["+id+"][delete]=1' . t3lib_BEfunc::getUrlToken('tceAction') . '&redirect="+escape(url)+"&vC=' . $BE_USER->veriCode() . '&prErr=1&uPT=1";
}
return false;
}
@@ -969,7 +969,7 @@
- ';
+ ' . t3lib_TCEforms::getHiddenTokenField('editRecord');
return $formContent;
}
@@ -986,7 +986,7 @@
// Show palettes:
return '
-
'.t3lib_BEfunc::getFuncCheck('','SET[showPalettes]',$this->MOD_SETTINGS['showPalettes'],'alt_doc.php',t3lib_div::implodeArrayForUrl('',array_merge($this->R_URL_getvars,array('SET'=>''))),'id="checkShowPalettes"').'';
+
'.t3lib_BEfunc::getFuncCheck('','SET[showPalettes]',$this->MOD_SETTINGS['showPalettes'],'alt_doc.php',t3lib_div::implodeArrayForUrl('',array_merge($this->R_URL_getvars,array('SET'=>''))) . t3lib_BEfunc::getUrlToken('editRecord'),'id="checkShowPalettes"').'';
}
else {
return '';
@@ -1137,14 +1137,14 @@
if($newTranslation) {
$href = $this->doc->issueCommand(
'&cmd['.$table.']['.$rowsByLang[0]['uid'].'][localize]='.$lang['uid'],
- $this->backPath.'alt_doc.php?justLocalized='.rawurlencode($table.':'.$rowsByLang[0]['uid'].':'.$lang['uid']).'&returnUrl='.rawurlencode($this->retUrl)
+ $this->backPath.'alt_doc.php?justLocalized='.rawurlencode($table.':'.$rowsByLang[0]['uid'].':'.$lang['uid']).'&returnUrl='.rawurlencode($this->retUrl) . t3lib_BEfunc::getUrlToken('editRecord')
);
// create edit url
} else {
$href = $this->backPath.'alt_doc.php?';
$href .= '&edit['.$table.']['.$rowsByLang[$lang['uid']]['uid'].']=edit';
- $href .= '&returnUrl='.rawurlencode($this->retUrl);
+ $href .= '&returnUrl='.rawurlencode($this->retUrl) . t3lib_BEfunc::getUrlToken('editRecord');
}
$langSelItems[$lang['uid']]='
@@ -1191,7 +1191,7 @@
// Create parameters and finally run the classic page module for creating a new page translation
$params = '&edit['.$table.']['.$localizedRecord['uid'].']=edit';
$returnUrl = '&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')));
- $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl;
+ $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl . t3lib_BEfunc::getUrlToken('editRecord');
t3lib_utility_Http::redirect($location);
}
@@ -1209,7 +1209,7 @@
global $LANG;
$modSharedTSconfig = t3lib_BEfunc::getModTSconfig($id, 'mod.SHARED');
-
+
// fallback non sprite-configuration
if (preg_match('/\.gif$/', $modSharedTSconfig['properties']['defaultLanguageFlag'])) {
$modSharedTSconfig['properties']['defaultLanguageFlag'] = str_replace('.gif', '', $modSharedTSconfig['properties']['defaultLanguageFlag']);
@@ -1490,14 +1490,19 @@
// Preprocessing, storing data if submitted to
$SOBE->preInit();
+
+$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+
if ($SOBE->doProcessData()) { // Checks, if a save button has been clicked (or the doSave variable is sent)
- $SOBE->processData();
+ if ($formprotection->validateToken(t3lib_div::_GP('formToken'), 'editRecord')) {
+ $SOBE->processData();
+ }
}
-
// Main:
$SOBE->init();
$SOBE->main();
$SOBE->printContent();
+$formprotection->persistTokens();
?>
Index: typo3/js/clearcachemenu.js
===================================================================
--- typo3/js/clearcachemenu.js (Revision 10152)
+++ typo3/js/clearcachemenu.js (Arbeitskopie)
@@ -120,16 +120,20 @@
var oldIcon = toolbarItemIcon.replace(spinner);
if (clickedElement.tagName === 'SPAN') {
- url = clickedElement.up('a').href;
+ link = clickedElement.up('a');
} else {
- url = clickedElement.href;
+ link = clickedElement;
}
- if (url) {
- var call = new Ajax.Request(url, {
+ if (link.href) {
+ var call = new Ajax.Request(link.href, {
'method': 'get',
- 'onComplete': function() {
+ 'onComplete': function(result) {
spinner.replace(oldIcon);
+ // replace used token with new one
+ if (result.responseText.length > 0) {
+ link.href = link.href.substr(0, link.href.length - result.responseText.length) + result.responseText
+ }
}.bind(this)
});
}
Index: typo3/alt_clickmenu.php
===================================================================
--- typo3/alt_clickmenu.php (Revision 10152)
+++ typo3/alt_clickmenu.php (Arbeitskopie)
@@ -753,7 +753,7 @@
$conf = '1==1';
}
$editOnClick = 'if(' . $loc . " && " . $conf . " ){" . $loc . ".location.href=top.TS.PATH_typo3+'tce_db.php?redirect='+top.rawurlencode(" . $this->frameLocation($loc . '.document') . ")+'".
- "&cmd[".$table.']['.$uid.'][delete]=1&prErr=1&vC='.$GLOBALS['BE_USER']->veriCode()."';}hideCM();top.nav.refresh();";
+ "&cmd[" . $table . '][' . $uid . '][delete]=1&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . "';}hideCM();top.nav.refresh();";
return $this->linkItem(
$this->label('delete'),
@@ -823,7 +823,7 @@
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . ".location.href=top.TS.PATH_typo3+'tce_db.php?redirect='+top.rawurlencode(" . $this->frameLocation($loc . '.document') . ")+'" .
"&data[" . $table . '][' . $uid . '][' . $flagField . ']=' .
- ($rec[$flagField] ? 0 : 1) .'&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode()."';}hideCM();top.nav.refresh();";
+ ($rec[$flagField] ? 0 : 1) . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . "';}hideCM();top.nav.refresh();";
return $this->linkItem(
$title,
@@ -1140,7 +1140,7 @@
$editOnClick='';
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"tce_db.php?redirect="+top.rawurlencode(' . $this->frameLocation($loc . '.document') . ')+"' .
- '&cmd[pages]['.$srcUid.']['.$action.']='.$negativeSign.$dstUid.'&prErr=1&vC='.$GLOBALS['BE_USER']->veriCode().'";}hideCM();top.nav.refresh();';
+ '&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction') . '";}hideCM();top.nav.refresh();';
return $this->linkItem(
$this->label($action.'Page_'.$into),
@@ -1784,5 +1784,5 @@
$SOBE->main();
$SOBE->printContent();
-
+t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection')->persistTokens();
?>
Index: t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php
===================================================================
--- t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php (Revision 10152)
+++ t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php (Arbeitskopie)
@@ -142,7 +142,8 @@
'LLL:EXT:lang/locallang_core.xml:error.formProtection.tokenInvalid'
),
'',
- t3lib_FlashMessage::ERROR
+ t3lib_FlashMessage::ERROR,
+ TRUE
);
t3lib_FlashMessageQueue::addMessage($message);
}
Index: t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php
===================================================================
--- t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php (Revision 0)
+++ t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php (Revision 0)
@@ -0,0 +1,44 @@
+
+ * All rights reserved
+ *
+ * This script is part of the TYPO3 project. The TYPO3 project is
+ * free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * The GNU General Public License can be found at
+ * http://www.gnu.org/copyleft/gpl.html.
+ *
+ * This script is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * This copyright notice MUST APPEAR in all copies of the script!
+ ***************************************************************/
+
+
+/**
+ * Invalid token exception
+ *
+ *
+ * @package TYPO3
+ * @subpackage t3lib_formprotection
+ * @api
+ * @version $Id$
+ */
+class t3lib_formprotection_InvalidTokenException extends UnexpectedValueException {
+
+}
+
+
+if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php'])) {
+ include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_invalidtokenexception.php']);
+}
+
+?>
Index: t3lib/class.t3lib_befunc.php
===================================================================
--- t3lib/class.t3lib_befunc.php (Revision 10152)
+++ t3lib/class.t3lib_befunc.php (Arbeitskopie)
@@ -3290,6 +3290,18 @@
}
}
+ /**
+ * Generates a token and returns a parameter for the URL
+ *
+ * @param string $formName Context of the token
+ * @param string $tokenName The name of the token GET variable
+ * @return string a URL GET variable including ampersand
+ */
+ public static function getUrlToken($formName = 'securityToken', $tokenName = 'formToken') {
+ $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+ return '&' . $tokenName . '=' . $formprotection->generateToken($formName);
+ }
+
/*******************************************
*
* Core
Index: t3lib/core_autoload.php
===================================================================
--- t3lib/core_autoload.php (Revision 10152)
+++ t3lib/core_autoload.php (Arbeitskopie)
@@ -126,6 +126,7 @@
't3lib_formprotection_abstract' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_abstract.php',
't3lib_formprotection_backendformprotection' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_backendformprotection.php',
't3lib_formprotection_installtoolformprotection' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_installtoolformprotection.php',
+ 't3lib_formprotection_invalidtokenexception' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_invalidtokenexception.php',
't3lib_localrecordlistgettablehook' => PATH_t3lib . 'interfaces/interface.t3lib_localrecordlistgettablehook.php',
't3lib_mail_maileradapter' => PATH_t3lib . 'interfaces/interface.t3lib_mail_maileradapter.php',
't3lib_pageselect_getpagehook' => PATH_t3lib . 'interfaces/interface.t3lib_pageselect_getpagehook.php',
Index: t3lib/class.t3lib_tceforms.php
===================================================================
--- t3lib/class.t3lib_tceforms.php (Revision 10152)
+++ t3lib/class.t3lib_tceforms.php (Arbeitskopie)
@@ -4990,6 +4990,18 @@
}
/**
+ * Generates a token and returns an input field with it
+ *
+ * @param string $formName Context of the token
+ * @param string $tokenName The name of the token GET/POST variable
+ * @return string a complete input field
+ */
+ public static function getHiddenTokenField($formName = 'securityToken', $tokenName = 'formToken') {
+ $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+ return '';
+ }
+
+ /**
* This replaces markers in the total wrap
*
* @param array An array of template parts containing some markers.
Index: t3lib/class.t3lib_pagerenderer.php
===================================================================
--- t3lib/class.t3lib_pagerenderer.php (Revision 10152)
+++ t3lib/class.t3lib_pagerenderer.php (Arbeitskopie)
@@ -945,12 +945,26 @@
* @return void
*/
public function addExtDirectCode() {
+ $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+ $token = $formprotection->generateToken('extDirect');
+ $formprotection->persistTokens();
+
// Note: we need to iterate thru the object, because the addProvider method
// does this only with multiple arguments
- $this->addExtOnReadyCode(
- 'for (var api in Ext.app.ExtDirectAPI) {
- Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);
- }
+ $this->addExtOnReadyCode('
+ (function() {
+ var token = "' . $token . '";
+ for (var api in Ext.app.ExtDirectAPI) {
+ var provider = Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);
+ provider.on("beforecall", function(provider, transaction, meta) {
+ if (transaction.data) {
+ transaction.data[transaction.data.length] = token;
+ } else {
+ transaction.data = [token];
+ }
+ });
+ }
+ })();
var extDirectDebug = function(message, header, group) {
var TYPO3ViewportInstance = null;
Index: t3lib/extjs/class.t3lib_extjs_extdirectrouter.php
===================================================================
--- t3lib/extjs/class.t3lib_extjs_extdirectrouter.php (Revision 10152)
+++ t3lib/extjs/class.t3lib_extjs_extdirectrouter.php (Arbeitskopie)
@@ -74,6 +74,8 @@
$request = array($request);
}
+ $validToken = FALSE;
+ $firstCall = TRUE;
foreach ($request as $index => $singleRequest) {
$response[$index] = array(
'tid' => $singleRequest->tid,
@@ -81,7 +83,18 @@
'method' => $singleRequest->method
);
+ $token = array_pop($singleRequest->data);
+ if ($firstCall) {
+ $firstCall = FALSE;
+ $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+ $validToken = $formprotection->validateToken($token, 'extDirect');
+ }
+
try {
+ if (!$validToken) {
+ throw new t3lib_formprotection_InvalidTokenException('ExtDirect: Invalid Security Token!');
+ }
+
$response[$index]['type'] = 'rpc';
$response[$index]['result'] = $this->processRpc($singleRequest, $namespace);
$response[$index]['debug'] = $GLOBALS['error']->toString();
Index: t3lib/class.t3lib_clipboard.php
===================================================================
--- t3lib/class.t3lib_clipboard.php (Revision 10152)
+++ t3lib/class.t3lib_clipboard.php (Arbeitskopie)
@@ -636,7 +636,8 @@
'&vC=' . $GLOBALS['BE_USER']->veriCode() .
'&prErr=1&uPT=1' .
'&CB[paste]=' . rawurlencode($table . '|' . $uid) .
- '&CB[pad]=' . $this->current;
+ '&CB[pad]=' . $this->current .
+ t3lib_BEfunc::getUrlToken('tceAction');
return $rU;
}
@@ -653,7 +654,8 @@
'&vC=' . $GLOBALS['BE_USER']->veriCode() .
'&prErr=1&uPT=1' .
'&CB[delete]=1' .
- '&CB[pad]=' . $this->current;
+ '&CB[pad]=' . $this->current .
+ t3lib_BEfunc::getUrlToken('tceAction');
return $rU;
}
Index: t3lib/class.t3lib_positionmap.php
===================================================================
--- t3lib/class.t3lib_positionmap.php (Revision 10152)
+++ t3lib/class.t3lib_positionmap.php (Arbeitskopie)
@@ -496,9 +496,9 @@
function onClickInsertRecord($row, $vv, $moveUid, $pid, $sys_lang = 0) {
$table = 'tt_content';
if (is_array($row)) {
- $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode();
+ $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=-' . $row['uid'] . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction');
} else {
- $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode();
+ $location = 'tce_db.php?cmd[' . $table . '][' . $moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&data[' . $table . '][' . $moveUid . '][colPos]=' . $vv . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . t3lib_BEfunc::getUrlToken('tceAction');
}
// $location.='&redirect='.rawurlencode($this->R_URI); // returns to prev. page
$location .= '&uPT=1&redirect=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')); // This redraws screen
Index: t3lib/class.t3lib_fullsearch.php
===================================================================
--- t3lib/class.t3lib_fullsearch.php (Revision 10152)
+++ t3lib/class.t3lib_fullsearch.php (Arbeitskopie)
@@ -658,9 +658,22 @@
$out .= '' . t3lib_iconWorks::getSpriteIcon('status-dialog-information') . '';
$out .= '' . t3lib_iconWorks::getSpriteIcon('actions-document-open') . '';
} else {
- $out .= '';
+ $out .= '';
$out .= t3lib_iconWorks::getSpriteIcon('actions-edit-restore', array('title' => 'undelete only')) . '';
- $out .= '';
+ $out .= '';
$out .= t3lib_iconWorks::getSpriteIcon('actions-edit-restore-edit', array('title' => 'undelete and edit')) . '';
}
$_params = array($table => $row);