Merge pull request #765 from kitodo/prepare-3.2.3

Security fix and preparation for release 3.2.3 - please update!

Classes/Common/Helper.php

@@ -624,6 +624,26 @@ public static function isPPN($id)
  return self::checkIdentifier($id, 'PPN');
  }
 
+ /**
+ * Determine whether or not $url is a valid URL using HTTP or HTTPS scheme.
+ *
+ * @param string $url
+ *
+ * @return bool
+ */
+ public static function isValidHttpUrl($url)
+ {
+ if (!GeneralUtility::isValidUrl($url)) {
+ return false;
+ }
+
+ $parsed = parse_url($url);
+ $scheme = $parsed['scheme'] ?? '';
+ $schemeNormalized = strtolower($scheme);
+
+ return $schemeNormalized === 'http' || $schemeNormalized === 'https';
+ }
+
  /**
  * Load value from user's session.
  *

Classes/Plugin/Eid/PageViewProxy.php

@@ -12,6 +12,7 @@
 
 namespace Kitodo\Dlf\Plugin\Eid;
 
+use Kitodo\Dlf\Common\Helper;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use TYPO3\CMS\Core\Http\Response;
@@ -26,7 +27,6 @@
  */
 class PageViewProxy
 {
-
  /**
  * The main method of the eID script
  *
@@ -37,29 +37,29 @@ class PageViewProxy
  */
  public function main(ServerRequestInterface $request)
  {
- // header parameter for getUrl(); allowed values 0,1,2; default 0
- $header = (int) $request->getQueryParams()['header'];
- $header = \TYPO3\CMS\Core\Utility\MathUtility::forceIntegerInRange($header, 0, 2, 0);
-
  // the URI to fetch data or header from
  $url = (string) $request->getQueryParams()['url'];
- if (!GeneralUtility::isValidUrl($url)) {
+ if (!Helper::isValidHttpUrl($url)) {
  throw new \InvalidArgumentException('No valid url passed!', 1580482805);
  }
 
- // fetch the requested data or header
- $fetchedData = GeneralUtility::getUrl($url, $header);
+ // get and verify the uHash
+ $uHash = (string) $request->getQueryParams()['uHash'];
+ if (!hash_equals(GeneralUtility::hmac($url, 'PageViewProxy'), $uHash)) {
+ throw new \InvalidArgumentException('No valid uHash passed!', 1643796565);
+ }
+
+ // fetch the requested data
+ $fetchedData = GeneralUtility::getUrl($url);
 
  // Fetch header data separately to get "Last-Modified" info
- if ($header === 0) {
- $fetchedHeaderString = GeneralUtility::getUrl($url, 2);
- if (!empty($fetchedHeaderString)) {
- $fetchedHeader = explode("\n", $fetchedHeaderString);
- foreach ($fetchedHeader as $headerline) {
- if (stripos($headerline, 'Last-Modified:') !== false) {
- $lastModified = trim(substr($headerline, strpos($headerline, ':') + 1));
- break;
- }
+ $fetchedHeaderString = GeneralUtility::getUrl($url, 2);
+ if (!empty($fetchedHeaderString)) {
+ $fetchedHeader = explode("\n", $fetchedHeaderString);
+ foreach ($fetchedHeader as $headerline) {
+ if (stripos($headerline, 'Last-Modified:') !== false) {
+ $lastModified = trim(substr($headerline, strpos($headerline, ':') + 1));
+ break;
  }
  }
  }
@@ -74,9 +74,9 @@ public function main(ServerRequestInterface $request)
  $response = $response->withHeader('Access-Control-Max-Age', '86400');
  $response = $response->withHeader('Content-Type', finfo_buffer(finfo_open(FILEINFO_MIME), $fetchedData));
  }
- if ($header === 0 && !empty($lastModified)) {
+ if (!empty($lastModified)) {
  $response = $response->withHeader('Last-Modified', $lastModified);
  }
  return $response;
  }
-}
+}

Classes/Plugin/PageView.php

@@ -238,7 +238,7 @@ protected function getImage($page)
  'parameter' => $GLOBALS['TSFE']->id,
  'forceAbsoluteUrl' => !empty($this->conf['forceAbsoluteUrl']) ? 1 : 0,
  'forceAbsoluteUrl.' => ['scheme' => !empty($this->conf['forceAbsoluteUrl']) && !empty($this->conf['forceAbsoluteUrlHttps']) ? 'https' : 'http'],
- 'additionalParams' => '&eID=tx_dlf_pageview_proxy&url=' . urlencode($image['url']),
+ 'additionalParams' => '&eID=tx_dlf_pageview_proxy&url=' . urlencode($image['url']) . '&uHash=' . GeneralUtility::hmac($image['url'], 'PageViewProxy'),
  ];
  $image['url'] = $this->cObj->typoLink_URL($linkConf);
  }
@@ -274,7 +274,7 @@ protected function getFulltext($page)
  'parameter' => $GLOBALS['TSFE']->id,
  'forceAbsoluteUrl' => !empty($this->conf['forceAbsoluteUrl']) ? 1 : 0,
  'forceAbsoluteUrl.' => ['scheme' => !empty($this->conf['forceAbsoluteUrl']) && !empty($this->conf['forceAbsoluteUrlHttps']) ? 'https' : 'http'],
- 'additionalParams' => '&eID=tx_dlf_pageview_proxy&url=' . urlencode($fulltext['url']),
+ 'additionalParams' => '&eID=tx_dlf_pageview_proxy&url=' . urlencode($fulltext['url']) . '&uHash=' . GeneralUtility::hmac($fulltext['url'], 'PageViewProxy'),
  ];
  $fulltext['url'] = $this->cObj->typoLink_URL($linkConf);
  }

Resources/Private/Language/Labels.xml

@@ -175,6 +175,7 @@
  <label index="tt_content.dlf_toolbox">DLF: Toolbox</label>
  <label index="tt_content.dlf_validator">DLF: Validator</label>
  <label index="config.metadataFormats">Default metadata namespaces</label>
+ <label index="config.enableInternalProxy">Enable internal page view proxy?: (default is "FALSE")</label>
  <label index="config.useragent">DLF User-Agent: (default is "Kitodo.Presentation")</label>
  <label index="config.forceAbsoluteUrl">Force all links to pages and resources to be absolute?: Only needed for some multi-domain environments; requires a fully qualified Entry Point in Site Configuration (default is "FALSE")</label>
  <label index="config.forceAbsoluteUrlHttps">Use HTTPS for absolute links?: requires a valid Entry Point with "https://..." in Site Configuration (default is "FALSE")</label>
@@ -360,6 +361,7 @@
  <label index="tt_content.dlf_toolbox">DLF: Werkzeugkasten</label>
  <label index="tt_content.dlf_validator">DLF: Validator</label>
  <label index="config.metadataFormats">Standard-Namensräume für Metadaten</label>
+ <label index="config.enableInternalProxy">Internen Proxy für Werkansicht aktivieren? (Standard ist "FALSE")</label>
  <label index="config.useragent">DLF User-Agent: (Standard ist "Kitodo.Presentation")</label>
  <label index="config.forceAbsoluteUrl">Verwende nur absolute Links für Seiten und Ressourcen?: Wird nur in speziellen Multi-Domain-Umgebungen benötigt; erfordert einen voll qualifizierten Einstiegspunkt in der Seitenkonfiguration (Standard ist "FALSE")</label>
  <label index="config.forceAbsoluteUrlHttps">Verwende HTTPS for absolute Links?: erfordert einen Einstiegspunkt mit "https://..." in der Seitenkonfiguration (Standard ist "FALSE")</label>