2013-07-18 07:09:21 +02:00
|
|
|
<?php
|
|
|
|
|
2016-08-19 00:51:35 +02:00
|
|
|
namespace SilverStripe\Core\Startup;
|
|
|
|
|
2017-06-22 12:50:45 +02:00
|
|
|
use SilverStripe\Control\Controller;
|
2018-08-24 16:36:51 +02:00
|
|
|
use SilverStripe\Control\Director;
|
2017-06-22 12:50:45 +02:00
|
|
|
use SilverStripe\Control\HTTPRequest;
|
|
|
|
use SilverStripe\Control\HTTPResponse;
|
|
|
|
use SilverStripe\Core\Convert;
|
2016-06-23 01:37:22 +02:00
|
|
|
use SilverStripe\Security\RandomGenerator;
|
|
|
|
|
2013-07-18 07:09:21 +02:00
|
|
|
/**
|
2018-08-21 12:20:15 +02:00
|
|
|
* This is used to protect dangerous GET parameters that need to be detected early in the request
|
|
|
|
* lifecycle by generating a one-time-use token & redirecting with that token included in the
|
|
|
|
* redirected URL
|
2013-07-18 07:09:21 +02:00
|
|
|
*
|
2018-08-21 12:20:15 +02:00
|
|
|
* @internal This class is designed specifically for use pre-startup and may change without warning
|
2019-02-27 02:50:49 +01:00
|
|
|
*
|
|
|
|
* @deprecated 5.0 To be removed in SilverStripe 5.0
|
2013-07-18 07:09:21 +02:00
|
|
|
*/
|
2018-08-24 16:36:51 +02:00
|
|
|
class ParameterConfirmationToken extends AbstractConfirmationToken
|
2016-11-29 00:31:16 +01:00
|
|
|
{
|
|
|
|
/**
|
|
|
|
* The name of the parameter
|
|
|
|
*
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
protected $parameterName = null;
|
2019-02-27 02:50:49 +01:00
|
|
|
|
2016-11-29 00:31:16 +01:00
|
|
|
/**
|
2017-08-23 01:58:57 +02:00
|
|
|
* The parameter given in the main request
|
2016-11-29 00:31:16 +01:00
|
|
|
*
|
|
|
|
* @var string|null The string value, or null if not provided
|
|
|
|
*/
|
|
|
|
protected $parameter = null;
|
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
/**
|
|
|
|
* The parameter given in the backURL
|
|
|
|
*
|
|
|
|
* @var string|null
|
|
|
|
*/
|
|
|
|
protected $parameterBackURL = null;
|
|
|
|
|
2016-11-29 00:31:16 +01:00
|
|
|
/**
|
|
|
|
* @param string $parameterName Name of the querystring parameter to check
|
2017-06-22 12:50:45 +02:00
|
|
|
* @param HTTPRequest $request
|
2016-11-29 00:31:16 +01:00
|
|
|
*/
|
2017-06-22 12:50:45 +02:00
|
|
|
public function __construct($parameterName, HTTPRequest $request)
|
2016-11-29 00:31:16 +01:00
|
|
|
{
|
|
|
|
// Store the parameter name
|
|
|
|
$this->parameterName = $parameterName;
|
2017-06-22 12:50:45 +02:00
|
|
|
$this->request = $request;
|
2016-11-29 00:31:16 +01:00
|
|
|
|
|
|
|
// Store the parameter value
|
2017-06-22 12:50:45 +02:00
|
|
|
$this->parameter = $request->getVar($parameterName);
|
2017-08-23 01:58:57 +02:00
|
|
|
$this->parameterBackURL = $this->backURLToken($request);
|
2016-11-29 00:31:16 +01:00
|
|
|
|
|
|
|
// If the token provided is valid, mark it as such
|
2018-01-16 19:39:30 +01:00
|
|
|
$token = $request->getVar($parameterName . 'token');
|
2016-11-29 00:31:16 +01:00
|
|
|
if ($this->checkToken($token)) {
|
|
|
|
$this->token = $token;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
/**
|
|
|
|
* Check if this token exists in the BackURL
|
|
|
|
*
|
|
|
|
* @param HTTPRequest $request
|
|
|
|
* @return string Value of token in backurl, or null if not in backurl
|
|
|
|
*/
|
|
|
|
protected function backURLToken(HTTPRequest $request)
|
|
|
|
{
|
|
|
|
$backURL = $request->getVar('BackURL');
|
|
|
|
if (!strstr($backURL, '?')) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter backURL if it contains the given request parameter
|
|
|
|
list(,$query) = explode('?', $backURL);
|
2017-11-01 23:52:20 +01:00
|
|
|
parse_str($query, $queryArgs);
|
2017-08-23 01:58:57 +02:00
|
|
|
$name = $this->getName();
|
|
|
|
if (isset($queryArgs[$name])) {
|
|
|
|
return $queryArgs[$name];
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
2016-11-29 00:31:16 +01:00
|
|
|
/**
|
|
|
|
* Get the name of this token
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function getName()
|
|
|
|
{
|
|
|
|
return $this->parameterName;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Is the parameter requested?
|
|
|
|
* ?parameter and ?parameter=1 are both considered requested
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function parameterProvided()
|
|
|
|
{
|
|
|
|
return $this->parameter !== null;
|
|
|
|
}
|
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
/**
|
|
|
|
* Is the parmeter requested in a BackURL param?
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function existsInReferer()
|
|
|
|
{
|
|
|
|
return $this->parameterBackURL !== null;
|
|
|
|
}
|
|
|
|
|
2016-11-29 00:31:16 +01:00
|
|
|
public function reloadRequired()
|
|
|
|
{
|
|
|
|
return $this->parameterProvided() && !$this->tokenProvided();
|
|
|
|
}
|
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
public function reloadRequiredIfError()
|
|
|
|
{
|
|
|
|
// Don't reload if token exists
|
|
|
|
return $this->reloadRequired() || $this->existsInReferer();
|
|
|
|
}
|
2019-02-27 02:50:49 +01:00
|
|
|
|
2016-11-29 00:31:16 +01:00
|
|
|
public function suppress()
|
|
|
|
{
|
2018-04-09 01:06:05 +02:00
|
|
|
unset($_GET[$this->parameterName]);
|
2017-06-22 12:50:45 +02:00
|
|
|
$this->request->offsetUnset($this->parameterName);
|
2016-11-29 00:31:16 +01:00
|
|
|
}
|
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
public function params($includeToken = true)
|
2016-11-29 00:31:16 +01:00
|
|
|
{
|
2020-04-20 19:58:09 +02:00
|
|
|
$params = [
|
2016-11-29 00:31:16 +01:00
|
|
|
$this->parameterName => $this->parameter,
|
2020-04-20 19:58:09 +02:00
|
|
|
];
|
2017-08-23 01:58:57 +02:00
|
|
|
if ($includeToken) {
|
|
|
|
$params[$this->parameterName . 'token'] = $this->genToken();
|
|
|
|
}
|
|
|
|
return $params;
|
2016-11-29 00:31:16 +01:00
|
|
|
}
|
2018-08-24 16:36:51 +02:00
|
|
|
|
|
|
|
public function getRedirectUrlBase()
|
|
|
|
{
|
|
|
|
return ($this->existsInReferer() && !$this->parameterProvided()) ? Director::baseURL() : $this->currentURL();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getRedirectUrlParams()
|
|
|
|
{
|
|
|
|
return ($this->existsInReferer() && !$this->parameterProvided())
|
|
|
|
? $this->params()
|
|
|
|
: array_merge($this->request->getVars(), $this->params());
|
|
|
|
}
|
2019-02-27 02:50:49 +01:00
|
|
|
|
2017-08-23 01:58:57 +02:00
|
|
|
protected function redirectURL()
|
|
|
|
{
|
2018-08-24 16:36:51 +02:00
|
|
|
$query = http_build_query($this->getRedirectUrlParams());
|
|
|
|
return Controller::join_links($this->getRedirectUrlBase(), '?' . $query);
|
2017-08-23 01:58:57 +02:00
|
|
|
}
|
2013-07-18 07:09:21 +02:00
|
|
|
}
|