Merge pull request #764 from kitodo/prepare-2.3.2

Security fix and preparation for release 2.3.2 - please update!

Documentation/Settings.yml

@@ -11,7 +11,7 @@ conf.py:
  copyright: 2017
  project: Kitodo.Presentation
  version: 2.3
- release: 2.3.1
+ release: 2.3.2
  intersphinx_mapping:
  t3tsref:
  - http://docs.typo3.org/typo3cms/TyposcriptReference/

common/class.tx_dlf_helper.php

@@ -846,6 +846,26 @@ public static function isPPN($id) {
 
  }
 
+ /**
+ * Determine whether or not $url is a valid URL using HTTP or HTTPS scheme.
+ *
+ * @param string $url
+ *
+ * @return bool
+ */
+ public static function isValidHttpUrl($url)
+ {
+ if (!\TYPO3\CMS\Core\Utility\GeneralUtility::isValidUrl($url)) {
+ return false;
+ }
+
+ $parsed = parse_url($url);
+ $scheme = isset($parsed['scheme']) ? $parsed['scheme'] : '';
+ $schemeNormalized = strtolower($scheme);
+
+ return $schemeNormalized === 'http' || $schemeNormalized === 'https';
+ }
+
  /**
  * Load value from user's session.
  *

ext_conf_template.txt

@@ -7,6 +7,9 @@ cliUserGroup = 0
 # cat=Basic; type=boolean; label=LLL:EXT:dlf/locallang.xml:config.makeCliUserGroup
 makeCliUserGroup = 0
 
+# cat=Basic; type=boolean; label=LLL:EXT:dlf/locallang.xml:config.enableInternalProxy
+enableInternalProxy = 0
+
 # cat=Basic; type=string; label=LLL:EXT:dlf/locallang.xml:config.useragent
 useragent = Kitodo.Presentation
 

ext_emconf.php

@@ -21,7 +21,7 @@
  'uploadfolder' => TRUE,
  'createDirs' => '',
  'clearCacheOnLoad' => FALSE,
- 'version' => '2.3.1',
+ 'version' => '2.3.2',
  'constraints' => array (
  'depends' => array (
  'php' => '7.0.0-',

ext_localconf.php

@@ -75,9 +75,10 @@
 // Register AJAX eID handlers.
 $GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['tx_dlf_search_suggest'] = 'EXT:'.$_EXTKEY.'/plugins/search/class.tx_dlf_search_suggest.php';
 
-$GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['tx_dlf_geturl_eid'] = 'EXT:'.$_EXTKEY.'/plugins/pageview/class.tx_dlf_geturl_eid.php';
-
-$GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['tx_dlf_geturl_eid'] = 'EXT:'.$_EXTKEY.'/plugins/pageview/class.tx_dlf_geturl_eid.php';
+$extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['dlf']);
+if (!empty($extConf) && $extConf['enableInternalProxy']) {
+ $GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['tx_dlf_geturl_eid'] = 'EXT:'.$_EXTKEY.'/plugins/pageview/class.tx_dlf_geturl_eid.php';
+}
 
 $GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['tx_dlf_search_in_document_eid'] = 'EXT:'.$_EXTKEY.'/plugins/toolbox/tools/searchindocument/class.tx_dlf_search_in_document_eid.php';
 

locallang.xml

@@ -147,7 +147,7 @@
  <label index="tx_dlf_toolbox.toolsFulltext">Fulltext</label>
  <label index="tx_dlf_toolbox.toolsImagemanipulation">Image Manipulation</label>
  <label index="tx_dlf_toolbox.toolsImagedownload">Image Download</label>
- <label index="tx_dlf_toolbox.toolsSearchindocument">Search in Document</label>
+ <label index="tx_dlf_toolbox.toolsSearchindocument">Search in Document</label>
  <label index="tt_content.dlf_audioplayer">DLF: Audio Player</label>
  <label index="tt_content.dlf_basket">DLF: Basket</label>
  <label index="tt_content.dlf_collection">DLF: Collection</label>
@@ -165,6 +165,7 @@
  <label index="tt_content.dlf_toolbox">DLF: Toolbox</label>
  <label index="tt_content.dlf_validator">DLF: Validator</label>
  <label index="config.metadataFormats">Default metadata namespaces</label>
+ <label index="config.enableInternalProxy">Enable internal page view proxy?: (default is "FALSE")</label>
  <label index="config.cliUserGroup">CLI user/group</label>
  <label index="config.makeCliUserGroup">Create and configure CLI user/group automatically?: (default is "FALSE")</label>
  <label index="config.useragent">DLF User-Agent: (default is "Kitodo.Presentation")</label>
@@ -363,7 +364,7 @@
  <label index="tx_dlf_toolbox.toolsFulltext">Volltext</label>
  <label index="tx_dlf_toolbox.toolsImagemanipulation">Bildbearbeitung</label>
  <label index="tx_dlf_toolbox.toolsImagedownload">Bild-Download</label>
- <label index="tx_dlf_toolbox.toolsSearchindocument">Suche im Dokument</label>
+ <label index="tx_dlf_toolbox.toolsSearchindocument">Suche im Dokument</label>
  <label index="tt_content.dlf_audioplayer">DLF: Audioplayer</label>
  <label index="tt_content.dlf_basket">DLF: Warenkorb</label>
  <label index="tt_content.dlf_collection">DLF: Kollektion</label>
@@ -381,6 +382,7 @@
  <label index="tt_content.dlf_toolbox">DLF: Werkzeugkasten</label>
  <label index="tt_content.dlf_validator">DLF: Validator</label>
  <label index="config.metadataFormats">Standard-Namensräume für Metadaten</label>
+ <label index="config.enableInternalProxy">Internen Proxy für Werkansicht aktivieren?: (Standard ist "FALSE")</label>
  <label index="config.cliUserGroup">CLI Benutzer/Gruppe</label>
  <label index="config.makeCliUserGroup">CLI Benutzer/Gruppe automatisch anlegen?: (Standard ist "FALSE")</label>
  <label index="config.useragent">DLF User-Agent: (Standard ist "Kitodo.Presentation")</label>

plugins/pageview/class.tx_dlf_geturl_eid.php

@@ -47,22 +47,18 @@ public function main($content = '', $conf = array ()) {
  $this->scriptRelPath = 'plugins/pageview/class.tx_dlf_geturl_eid.php';
 
  $url = GeneralUtility::_GP('url');
+ if (!tx_dlf_helper::isValidHttpUrl($url)) {
+ throw new \InvalidArgumentException('No valid url passed!', 1580482805);
+ }
 
- $includeHeader = \TYPO3\CMS\Core\Utility\MathUtility::forceIntegerInRange(GeneralUtility::_GP('header'), 0, 2, 0);
-
- // first we fetch header separately
- $fetchedHeader = GeneralUtility::getUrl($url, 2);
-
- if ($includeHeader == 0) {
-
- $fetchedData = GeneralUtility::getUrl($url, $includeHeader);
-
- } else {
-
- $fetchedData = $fetchedHeader;
-
+ // get and verify the uHash
+ $uHash = (string) GeneralUtility::_GP('uHash');
+ if (!hash_equals(GeneralUtility::hmac($url, 'PageViewProxy'), $uHash)) {
+ throw new \InvalidArgumentException('No valid uHash passed!', 1643796565);
  }
 
+ $fetchedData = GeneralUtility::getUrl($url);
+
  // add some self calculated header tags
  header('Last-Modified: '.gmdate("D, d M Y H:i:s").'GMT');
  header('Cache-Control: max-age=3600, must-revalidate');

plugins/pageview/class.tx_dlf_pageview.php

@@ -250,7 +250,7 @@ protected function getImage($page) {
  // Configure @action URL for form.
  $linkConf = array (
  'parameter' => $GLOBALS['TSFE']->id,
- 'additionalParams' => '&eID=tx_dlf_geturl_eid&url='.urlencode($image['url']),
+ 'additionalParams' => '&eID=tx_dlf_geturl_eid&url='.urlencode($image['url']) . '&uHash=' . \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($image['url'], 'PageViewProxy'),
  );
 
  $image['url'] = $this->cObj->typoLink_URL($linkConf);
@@ -297,7 +297,7 @@ protected function getFulltext($page) {
  // Configure @action URL for form.
  $linkConf = array (
  'parameter' => $GLOBALS['TSFE']->id,
- 'additionalParams' => '&eID=tx_dlf_geturl_eid&url='.urlencode($fulltext['url']),
+ 'additionalParams' => '&eID=tx_dlf_geturl_eid&url='.urlencode($fulltext['url']) . '&uHash=' . \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($fulltext['url'], 'PageViewProxy'),
  );
 
  $fulltext['url'] = $this->cObj->typoLink_URL($linkConf);

plugins/pageview/tx_dlf_pageview.js

@@ -159,18 +159,12 @@ dlfViewer.prototype.addCustomControls = function(controlNames) {
  //
  // Add image manipulation tool if container is added.
  //
- // It is important to know that the image manipulation tool uses a webgl renderer as basis. Therefor the
- // application has as first to check if the renderer is active. Further it has to check if cors supported through
- // image.
- //
- if ($('#tx-dlf-tools-imagetools').length > 0 && dlfUtils.isWebGLEnabled() && this.isCorsEnabled) {
+ if ($('#tx-dlf-tools-imagetools').length > 0) {
 
  // should be called if cors is enabled
  imageManipulationControl = new dlfViewerImageManipulationControl({
  controlTarget: $('.tx-dlf-tools-imagetools')[0],
- layers: dlfUtils.createOl3Layers(images, '*'),
  map: this.map,
- view: dlfUtils.createOl3View(images)
  });
 
  // bind behavior of both together
@@ -182,11 +176,6 @@ dlfViewer.prototype.addCustomControls = function(controlNames) {
  // set on object scope
  this.imageManipulationControl = imageManipulationControl;
 
- } else if ($('#tx-dlf-tools-imagetools').length > 0) {
-
- // hide the element because the functionality is not supported through missing webgl or cors support.
- $('#tx-dlf-tools-imagetools').addClass('deactivate');
-
  }
 };
 
@@ -339,17 +328,7 @@ dlfViewer.prototype.init = function(controlNames) {
  if (this.imageUrls.length <= 0)
  throw new Error('Missing image source objects.');
 
- /**
- * Is cors enabled. Important information for correct renderer and layer initialization
- * @type {boolean}
- */
- if (this.useInternalProxy) {
- this.isCorsEnabled = true;
- } else {
- this.isCorsEnabled = dlfUtils.isCorsEnabled(this.imageUrls);
- }
-
- this.initLayer(this.imageUrls, this.isCorsEnabled)
+ this.initLayer(this.imageUrls)
  .done($.proxy(function(layers){
 
  var controls = controlNames.length > 0 || controlNames[0] === ""
@@ -437,11 +416,10 @@ dlfViewer.prototype.init = function(controlNames) {
  * Function generate the ol3 layer objects for given image sources. Returns a promise.
  *
  * @param {Array.<{url: *, mimetype: *}>} imageSourceObjs
- * @param {boolean} isCorsEnabled
  * @return {jQuery.Deferred.<function(Array.<ol.layer.Layer>)>}
  * @private
  */
-dlfViewer.prototype.initLayer = function(imageSourceObjs, isCorsEnabled) {
+dlfViewer.prototype.initLayer = function(imageSourceObjs) {
 
  // use deferred for async behavior
  var deferredResponse = new $.Deferred(),
@@ -452,12 +430,11 @@ dlfViewer.prototype.initLayer = function(imageSourceObjs, isCorsEnabled) {
  resolveCallback = $.proxy(function(imageSourceData, layers) {
  this.images = imageSourceData;
  deferredResponse.resolve(layers);
- }, this),
- origin = isCorsEnabled ? '*' : undefined;
+ }, this);
 
  dlfUtils.fetchImageData(imageSourceObjs)
  .done(function(imageSourceData) {
- resolveCallback(imageSourceData, dlfUtils.createOl3Layers(imageSourceData, origin));
+ resolveCallback(imageSourceData, dlfUtils.createOl3Layers(imageSourceData));
  });
 
  return deferredResponse;