Merge branch 'master' into add_searchoperators_and_fix_highlighting

.github/workflows/codacy.yml → .github/workflows/codacy.yml.disabled

@@ -6,9 +6,6 @@ on:
  branches: [ "master", "1.x", "2.x", "3.2.x", "3.3.x", "4.x" ]
  pull_request:
  branches: [ "master" ]
- # Trigger analysis when a new release is drafted
- release:
- type: [ "created", "edited" ]
 
 permissions:
  contents: read
@@ -34,7 +31,6 @@ jobs:
  with:
  # You can also omit the token and run the tools that support default configurations
  project-token: ${{ secrets.CODACY_TOKEN }}
- verbose: true
  output: results.sarif
  format: sarif
  # Adjust severity of non-security issues

.github/workflows/codeql.yml

@@ -5,8 +5,6 @@ on:
  branches: [ "master", "1.x", "2.x", "3.2.x", "3.3.x", "4.x" ]
  pull_request:
  branches: [ "master" ]
- schedule:
- - cron: "39 1 * * 1"
 
 jobs:
  analyze:

Classes/Common/Helper.php

@@ -915,4 +915,19 @@ public static function getUrl(string $url)
 
  return $content;
  }
+
+ /**
+ * Check if given value is a valid XML ID.
+ * @see https://www.w3.org/TR/xmlschema-2/#ID
+ *
+ * @access public
+ *
+ * @param mixed $id: The ID value to check
+ *
+ * @return bool: TRUE if $id is valid XML ID, FALSE otherwise
+ */
+ public static function isValidXmlId($id): bool
+ {
+ return preg_match('/^[_a-z][_a-z0-9-.]*$/i', $id) === 1;
+ }
 }

Classes/Controller/AbstractController.php

@@ -23,7 +23,6 @@
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
 
-
 /**
  * Abstract controller class for most of the plugin controller.
  *
@@ -88,10 +87,9 @@ public function injectDocumentRepository(DocumentRepository $documentRepository)
  protected function initialize()
  {
  $this->requestData = GeneralUtility::_GPmerged('tx_dlf');
- if (empty($this->requestData['page'])) {
- $this->requestData['page'] = 1;
- }
- $this->requestData['double'] = MathUtility::forceIntegerInRange($this->requestData['double'], 0, 1, 0);
+
+ // Sanitize user input to prevent XSS attacks.
+ $this->sanitizeRequestData();
 
  // Get extension configuration.
  $this->extConf = GeneralUtility::makeInstance(ExtensionConfiguration::class)->get('dlf');
@@ -108,28 +106,33 @@ protected function initialize()
  *
  * @access protected
  *
- * @param array $requestData: The request data
+ * @param  int $documentId: The document's UID (fallback: $this->requestData[id])
  *
  * @return void
  */
- protected function loadDocument($requestData)
+ protected function loadDocument(int $documentId = 0)
  {
+ // Get document ID from request data if not passed as parameter.
+ if ($documentId === 0 && !empty($this->requestData['id'])) {
+ $documentId = $this->requestData['id'];
+ }
+
  // Try to get document format from database
- if (!empty($requestData['id'])) {
+ if (!empty($documentId)) {
 
  $doc = null;
 
- if (MathUtility::canBeInterpretedAsInteger($requestData['id'])) {
+ if (MathUtility::canBeInterpretedAsInteger($documentId)) {
  // find document from repository by uid
- $this->document = $this->documentRepository->findOneByIdAndSettings((int) $requestData['id']);
+ $this->document = $this->documentRepository->findOneByIdAndSettings($documentId);
  if ($this->document) {
  $doc = Doc::getInstance($this->document->getLocation(), $this->settings, true);
  } else {
- $this->logger->error('Invalid UID "' . $requestData['id'] . '" or PID "' . $this->settings['storagePid'] . '" for document loading');
+ $this->logger->error('Invalid UID "' . $documentId . '" or PID "' . $this->settings['storagePid'] . '" for document loading');
  }
- } else if (GeneralUtility::isValidUrl($requestData['id'])) {
+ } else if (GeneralUtility::isValidUrl($documentId)) {
 
- $doc = Doc::getInstance($requestData['id'], $this->settings, true);
+ $doc = Doc::getInstance($documentId, $this->settings, true);
 
  if ($doc !== null) {
  if ($doc->recordId) {
@@ -146,33 +149,54 @@ protected function loadDocument($requestData)
  $doc->cPid = max(intval($this->settings['storagePid']), 0);
  }
 
- $this->document->setLocation($requestData['id']);
+ $this->document->setLocation($documentId);
  } else {
- $this->logger->error('Invalid location given "' . $requestData['id'] . '" for document loading');
+ $this->logger->error('Invalid location given "' . $documentId . '" for document loading');
  }
  }
 
  if ($this->document !== null && $doc !== null) {
  $this->document->setDoc($doc);
  }
 
- } elseif (!empty($requestData['recordId'])) {
+ } elseif (!empty($this->requestData['recordId'])) {
 
- $this->document = $this->documentRepository->findOneByRecordId($requestData['recordId']);
+ $this->document = $this->documentRepository->findOneByRecordId($this->requestData['recordId']);
 
  if ($this->document !== null) {
  $doc = Doc::getInstance($this->document->getLocation(), $this->settings, true);
  if ($this->document !== null && $doc !== null) {
  $this->document->setDoc($doc);
  } else {
- $this->logger->error('Failed to load document with record ID "' . $requestData['recordId'] . '"');
+ $this->logger->error('Failed to load document with record ID "' . $this->requestData['recordId'] . '"');
  }
  }
  } else {
- $this->logger->error('Invalid ID "' . $requestData['id'] . '" or PID "' . $this->settings['storagePid'] . '" for document loading');
+ $this->logger->error('Invalid ID "' . $documentId . '" or PID "' . $this->settings['storagePid'] . '" for document loading');
  }
  }
 
+ /**
+ * Configure URL for proxy.
+ *
+ * @access protected
+ *
+ * @param string $url URL for proxy configuration
+ *
+ * @return void
+ */
+ protected function configureProxyUrl(&$url) {
+ $this->uriBuilder->reset()
+ ->setTargetPageUid($GLOBALS['TSFE']->id)
+ ->setCreateAbsoluteUri(!empty($this->settings['forceAbsoluteUrl']))
+ ->setArguments([
+ 'eID' => 'tx_dlf_pageview_proxy',
+ 'url' => $url,
+ 'uHash' => GeneralUtility::hmac($url, 'PageViewProxy')
+ ])
+ ->build();
+ }
+
  /**
  * Checks if doc is missing or is empty (no pages)
  *
@@ -219,6 +243,75 @@ protected function getParametersSafely($parameterName)
  return null;
  }
 
+ /**
+ * Sanitize input variables.
+ *
+ * @access protected
+ *
+ * @return void
+ */
+ protected function sanitizeRequestData()
+ {
+ // tx_dlf[id] may only be an UID or URI.
+ if (
+ !empty($this->requestData['id'])
+ && !MathUtility::canBeInterpretedAsInteger($this->requestData['id'])
+ && !GeneralUtility::isValidUrl($this->requestData['id'])
+ ) {
+ $this->logger->warning('Invalid ID or URI "' . $this->requestData['id'] . '" for document loading');
+ unset($this->requestData['id']);
+ }
+
+ // tx_dlf[page] may only be a positive integer or valid XML ID.
+ if (
+ !empty($this->requestData['page'])
+ && !MathUtility::canBeInterpretedAsInteger($this->requestData['page'])
+ && !Helper::isValidXmlId($this->requestData['page'])
+ ) {
+ $this->requestData['page'] = 1;
+ }
+
+ // tx_dlf[double] may only be 0 or 1.
+ $this->requestData['double'] = MathUtility::forceIntegerInRange($this->requestData['double'], 0, 1, 0);
+ }
+
+ /**
+ * Sets page value.
+ *
+ * @access protected
+ *
+ * @return void
+ */
+ protected function setPage() {
+ if (!empty($this->requestData['logicalPage'])) {
+ $this->requestData['page'] = $this->document->getDoc()->getPhysicalPage($this->requestData['logicalPage']);
+ // The logical page parameter should not appear again
+ unset($this->requestData['logicalPage']);
+ }
+
+ $this->setDefaultPage();
+ }
+
+ /**
+ * Sets default page value.
+ *
+ * @access protected
+ *
+ * @return void
+ */
+ protected function setDefaultPage() {
+ // Set default values if not set.
+ // $this->requestData['page'] may be integer or string (physical structure @ID)
+ if (
+ (int) $this->requestData['page'] > 0
+ || empty($this->requestData['page'])
+ ) {
+ $this->requestData['page'] = MathUtility::forceIntegerInRange((int) $this->requestData['page'], 1, $this->document->getDoc()->numPages, 1);
+ } else {
+ $this->requestData['page'] = array_search($this->requestData['page'], $this->document->getDoc()->physicalStructure);
+ }
+ }
+
  /**
  * This is the constructor
  *

Classes/Controller/AudioPlayerController.php

@@ -75,22 +75,14 @@ protected function addPlayerJS()
  public function mainAction()
  {
  // Load current document.
- $this->loadDocument($this->requestData);
+ $this->loadDocument();
  if ($this->isDocMissingOrEmpty()) {
  // Quit without doing anything if required variables are not set.
  return '';
- } else {
- // Set default values if not set.
- // $this->requestData['page'] may be integer or string (physical structure @ID)
- if (
- (int) $this->requestData['page'] > 0
- || empty($this->requestData['page'])
- ) {
- $this->requestData['page'] = MathUtility::forceIntegerInRange((int) $this->requestData['page'], 1, $this->document->getDoc()->numPages, 1);
- } else {
- $this->requestData['page'] = array_search($this->requestData['page'], $this->document->getDoc()->physicalStructure);
- }
  }
+
+ $this->setDefaultPage();
+
  // Check if there are any audio files available.
  $fileGrpsAudio = GeneralUtility::trimExplode(',', $this->extConf['fileGrpAudio']);
  while ($fileGrpAudio = array_shift($fileGrpsAudio)) {

Classes/Controller/Backend/NewTenantController.php

@@ -280,11 +280,13 @@ public function addSolrCoreAction()
  $newRecord = GeneralUtility::makeInstance(SolrCore::class);
  $newRecord->setLabel($this->getLLL('flexform.solrcore', $this->siteLanguages[0]->getTypo3Language(), $beLabels). ' (PID ' . $this->pid . ')');
  $indexName = Solr::createCore('');
- $newRecord->setIndexName($indexName);
+ if (!empty($indexName)) {
+ $newRecord->setIndexName($indexName);
 
- $this->solrCoreRepository->add($newRecord);
+  $this->solrCoreRepository->add($newRecord);
 
- $doPersist = true;
+ $doPersist = true;
+ }
  }
 
  // We must persist here, if we changed anything.
@@ -419,8 +421,10 @@ protected function getLLL($index, $lang, $langArray)
  {
  if (isset($langArray[$lang][$index][0]['target'])) {
  return $langArray[$lang][$index][0]['target'];
- } else {
+ } elseif (isset($langArray['default'][$index][0]['target'])) {
  return $langArray['default'][$index][0]['target'];
+ } else {
+ return 'Missing translation for ' . $index;
  }
  }
 }

Classes/Controller/BasketController.php

@@ -300,7 +300,7 @@ protected function getEntry($data)
  protected function getDocumentData($id, $data)
  {
  // get document instance to load further information
- $this->loadDocument(['id' => $id]);
+ $this->loadDocument((int) $id);
  if ($this->document) {
  // replace url param placeholder
  $urlParams = str_replace("##page##", (int) $data['page'], $this->settings['pdfparams']);
@@ -395,7 +395,7 @@ protected function addToBasket($_piVars, $basket)
  $items = [];
  }
  // get document instance to load further information
- $this->loadDocument(['id' => $documentItem['id']]);
+ $this->loadDocument((int) $documentItem['id']);
  if ($this->isDocMissing()) {
  // Quit without doing anything if required variables are not set.
  return;

Classes/Controller/CalendarController.php

@@ -62,7 +62,7 @@ public function mainAction()
  }
 
  // Load current document.
- $this->loadDocument($this->requestData);
+ $this->loadDocument();
  if ($this->document === null) {
  // Quit without doing anything if required variables are not set.
  return '';
@@ -109,7 +109,7 @@ public function calendarAction()
  $this->requestData = array_merge($this->requestData, $mainrequestData);
 
  // Load current document.
- $this->loadDocument($this->requestData);
+ $this->loadDocument();
  if ($this->document === null) {
  // Quit without doing anything if required variables are not set.
  return '';
@@ -238,7 +238,7 @@ public function yearsAction()
  $this->requestData = array_merge($this->requestData, $mainrequestData);
 
  // Load current document.
- $this->loadDocument($this->requestData);
+ $this->loadDocument();
  if ($this->document === null) {
  // Quit without doing anything if required variables are not set.
  return '';