Fix for critical security error related to file include

kitodo · Jun 13, 2024 · 1bfb337 · 1bfb337
1 parent 564bfd4
commit 1bfb337
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/Classes/Controller/Backend/NewTenantController.php b/Classes/Controller/Backend/NewTenantController.php
@@ -179,7 +179,7 @@ protected function initializeAction(): void
  public function addFormatAction(): void
  {
  // Include formats definition file.
- $formatsDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/FormatDefaults.php');
+ $formatsDefaults = $this->getRecords('Format');;
 
  $frameworkConfiguration = $this->configurationManager->getConfiguration($this->configurationManager::CONFIGURATION_TYPE_FRAMEWORK);
  // tx_dlf_formats are stored on PID = 0
@@ -221,7 +221,7 @@ public function addFormatAction(): void
  public function addMetadataAction(): void
  {
  // Include metadata definition file.
- $metadataDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/MetadataDefaults.php');
+ $metadataDefaults = $this->getRecords('Metadata');;
 
  // load language file in own array
  $metadataLabels = $this->languageFactory->getParsedData('EXT:dlf/Resources/Private/Language/locallang_metadata.xlf', $this->siteLanguages[0]->getTypo3Language());
@@ -344,7 +344,7 @@ public function addSolrCoreAction(): void
  public function addStructureAction(): void
  {
  // Include structure definition file.
- $structureDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/StructureDefaults.php');
+ $structureDefaults = $this->getRecords('Structure');
 
  // load language file in own array
  $structureLabels = $this->languageFactory->getParsedData('EXT:dlf/Resources/Private/Language/locallang_structure.xlf', $this->siteLanguages[0]->getTypo3Language());
@@ -459,15 +459,15 @@ public function errorAction(): void
  /**
  * Get language label for given key and language.
  * 
- * @access protected
+ * @access private
  *
  * @param string $index
  * @param string $lang
  * @param array $langArray
  *
  * @return string
  */
- protected function getLLL(string $index, string $lang, array $langArray): string
+ private function getLLL(string $index, string $lang, array $langArray): string
  {
  if (isset($langArray[$lang][$index][0]['target'])) {
  return $langArray[$lang][$index][0]['target'];
@@ -477,4 +477,25 @@ protected function getLLL(string $index, string $lang, array $langArray): string
  return 'Missing translation for ' . $index;
  }
  }
+
+ /**
+ * Get records from file for given record type.
+ *
+ * @access private
+ *
+ * @param string $recordType
+ *
+ * @return array
+ */
+ private function getRecords(string $recordType): array
+ {
+ $filePath = GeneralUtility::getFileAbsFileName(
+ ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/' . $recordType . 'Defaults.php'
+ );
+
+ if ($filePath) {
+ return include $filePath;
+ }
+ return [];
+ }
 }