Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
typo3
qfq
Commits
664d685d
Commit
664d685d
authored
Mar 17, 2019
by
Carsten Rose
Browse files
Fixes #8012: Stop replace of embedded values
parent
bcbb53d4
Pipeline
#1752
failed with stage
in 2 minutes and 3 seconds
Changes
4
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
extension/Documentation/Manual.rst
View file @
664d685d
...
...
@@ -1258,25 +1258,42 @@ QFQ offers different ways of escaping. Which of them to use, depends on the situ
Especially variables used in SQL Statements might cause trouble when using: NUL (ASCII 0), \\n, \\r, \\, ', ", or Control-Z.
Additional there
is the escape class
'p' (password hash) which is not 'escape' but hashing. It transforms the value of
Additional there
function classes like
'p' (password hash) which is not 'escape' but hashing. It transforms the value of
the variable into a hash. The hash function is the one used by Typo3 to encrypt and salt a password. This is useful to
manipulate FE user passwords via QFQ. See `setFeUserPassword`_
The following `escape` and `hashing` types are available:
The following `escape`, `hashing`, `action` types are available:
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| Token | Description |
+=======+==================================================================================================================================+
| m | `real_escape_string() <http://php.net/manual/en/mysqli.real-escape-string.php>`_ (m = mysql) |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| l | LDAP search filter values: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER). |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| L | LDAP DN values. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN). |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| s | Single ticks ' will be escaped against \\'. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| d | Double ticks " will be escaped against \\". |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| C | Colon ':' will be escaped against \\:. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| c | Config - the escape type configured in `configuration`_. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| p | Password hashing: depends on the hashing type in the Typo3 installation, includes salting if configured. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| '' | Nothing defined - the escape type configured in `configuration`_. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| - | No escaping. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
| S | Stop replace. If the replaced value contains variables, they won't be replaced. |
+-------+----------------------------------------------------------------------------------------------------------------------------------+
* 'm' - `real_escape_string() <http://php.net/manual/en/mysqli.real-escape-string.php>`_ (m = mysql)
* 'l' - LDAP search filter values: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' - Single ticks ' will be escaped against \\'.
* 'd' - double ticks " will be escaped against \\".
* 'C' - colon ':' will be escaped against \\:.
* 'c' - config - the escape type configured in `configuration`_.
* 'p' - password hashing: depends on the hashing type in the Typo3 installation, includes salting if configured.
* '' - the escape type configured in `configuration`_.
* '-' - no escaping.
* The `escape` type is defined by the fourth parameter of the variable. E.g.: `{{name:FE:alnumx:m}}` (m = mysql).
* It's possible to combine
different
`escape` types, they will be processed in the order given. E.g. `{{name:FE:alnumx:Ls}}` (L, s).
* It's possible to combine
multiple
`escape` types, they will be processed in the order given. E.g. `{{name:FE:alnumx:Ls}}` (L, s).
* Escaping is typically necessary for all user supplied content, especially if they are processed via SQL or LDAP queries.
* Be careful when escaping nested variables. Best is to escape **only** the most outer variable.
* In configuration_ a global `escapeTypeDefault` can be defined. The configured escape type applies to all substituted
...
...
extension/Source/core/Constants.php
View file @
664d685d
...
...
@@ -731,6 +731,10 @@ const TOKEN_ESCAPE_MYSQL = 'm';
const
TOKEN_ESCAPE_PASSWORD_T3FE
=
'p'
;
const
TOKEN_ESCAPE_NONE
=
'-'
;
const
TOKEN_ESCAPE_STOP_REPLACE
=
'S'
;
#const TOKEN_ESCAPE_ACTION = 'A';
#const TOKEN_ESCAPE_EXCEPTION = 'X';
// Workaround for PHP < 5.6.0
if
(
!
function_exists
(
'ldap_escape'
))
{
define
(
'LDAP_ESCAPE_FILTER'
,
0x01
);
...
...
extension/Source/core/Evaluate.php
View file @
664d685d
...
...
@@ -349,7 +349,6 @@ class Evaluate {
if
(
$type
==
DND_DATA_DND_API
)
{
return
(
$this
->
inlineDataDndApi
(
$arrToken
,
$dbIndex
,
$foundInStore
));
}
}
...
...
@@ -394,6 +393,9 @@ class Evaluate {
case
TOKEN_ESCAPE_PASSWORD_T3FE
:
$value
=
Password
::
getHash
(
$value
);
break
;
case
TOKEN_ESCAPE_STOP_REPLACE
:
$value
=
Support
::
encryptDoubleCurlyBraces
(
$value
);
break
;
default
:
throw
new
UserFormException
(
"Unknown escape qualifier:
$escape
"
,
UNKNOWN_TYPE
);
break
;
...
...
extension/Tests/unit/core/EvaluateTest.php
View file @
664d685d
...
...
@@ -465,10 +465,16 @@ class EvaluateTest extends AbstractDatabaseTest {
$this
->
store
->
setVar
(
'a'
,
'h\e,l=l+o< >w;o"r#ld'
,
STORE_FORM
,
true
);
$this
->
assertEquals
(
'h\5ce\2cl\3dl\2bo\3c \3ew\3bo\22r\23ld'
,
$eval
->
substitute
(
'a:F:all:L'
,
$foundInStore
));
$this
->
store
->
setVar
(
'a'
,
' hel;lo world '
,
STORE_FORM
,
true
);
// $this->assertEquals('\20hel\3blo world\20', $eval->substitute('a:F:all:sL', $foundInStore));
# The password contains a dynamic salt - we can't force the salt and we can't force the hash
$this
->
store
->
setVar
(
'a'
,
'password'
,
STORE_FORM
,
true
);
$result
=
$eval
->
substitute
(
'a:F::p'
,
$foundInStore
);
$this
->
assertEquals
(
34
,
strlen
(
$result
));
$this
->
assertEquals
(
'$P$'
,
substr
(
$result
,
0
,
3
));
}
/**
...
...
@@ -547,6 +553,26 @@ class EvaluateTest extends AbstractDatabaseTest {
$this
->
assertEquals
(
"
$store
- start violate with
\\\"
in string end"
,
$eval
->
parse
(
"
$store
- start {{value:
$store
::::violate with
\"
in string}} end"
));
}
/**
* @throws CodeException
* @throws DbException
* @throws UserFormException
* @throws UserReportException
*/
public
function
testParseActionEscape
()
{
$eval
=
new
Evaluate
(
$this
->
store
,
$this
->
dbArray
[
DB_INDEX_DEFAULT
]);
$this
->
store
->
setVar
(
'hidden'
,
'magic value'
,
STORE_FORM
,
true
);
$this
->
store
->
setVar
(
'a'
,
'start {{hidden:F:alnumx}} end'
,
STORE_FORM
,
true
);
// Recursive replace (already tested)
$this
->
assertEquals
(
'go start magic value end stop'
,
$eval
->
parse
(
'go {{a:F:all}} stop'
));
// Stop Recursive replace
$this
->
assertEquals
(
'go start {{hidden:F:alnumx}} end stop'
,
$eval
->
parse
(
'go {{a:F:all:S}} stop'
));
}
/**
* @throws CodeException
* @throws DbException
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment