Skip to content

Commit

Permalink
[SECURITY] Avoid disclosing loaded extensions
Browse files Browse the repository at this point in the history
Inline JavaScript settings for RequireJS and ajaxUrls disclose the
existence of specific extensions in a TYPO3 installation.

In case no backend user is logged in RequireJS settings are fetched
using an according endpoint, ajaxUrls (for backend AJAX routes) are
limited to those that are accessible without having a user session.

Resolves: #83855
Releases: master, 9.5, 8.7
Security-Commit: a6275dcec387039a8a40972f3f8a8607d20fe6dd
Security-Bulletin: TYPO3-CORE-SA-2019-001
Change-Id: I7be7e93b2bd67ddcb2e10863577090b34182c555
Reviewed-on: https://review.typo3.org/59527
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
ohader committed Jan 22, 2019
1 parent 3ccf7ed commit 9453d8a
Show file tree
Hide file tree
Showing 5 changed files with 441 additions and 23 deletions.
109 changes: 109 additions & 0 deletions Classes/Controller/RequireJsController.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
<?php
declare(strict_types = 1);
namespace TYPO3\CMS\Core\Controller;

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Core\Http\JsonResponse;
use TYPO3\CMS\Core\Page\PageRenderer;
use TYPO3\CMS\Core\Utility\GeneralUtility;

/**
* Handling requirejs client requests.
*/
class RequireJsController
{
/**
* @var PageRenderer
*/
protected $pageRenderer;

public function __construct()
{
$this->pageRenderer = GeneralUtility::makeInstance(PageRenderer::class);
}

/**
* Retrieves additional requirejs configuration for a given module name or module path.
*
* The JSON result e.g. could look like:
* {
* "shim": {
* "vendor/module": ["exports" => "TheModule"]
* },
* "paths": {
* "vendor/module": "/public/web/path/"
* },
* "packages": {
* [
* "name": "module",
* ...
* ]
* }
* }
*
* Parameter name either could be the module name ("vendor/module") or a
* module path ("vendor/module/component") belonging to a module.
*
* @param ServerRequestInterface $request
* @return ResponseInterface
*/
public function retrieveConfiguration(ServerRequestInterface $request): ResponseInterface
{
$name = $request->getQueryParams()['name'] ?? null;
if (empty($name) || !is_string($name)) {
return new JsonResponse(null, 404);
}
$configuration = $this->findConfiguration($name);
return new JsonResponse($configuration, !empty($configuration) ? 200 : 404);
}

/**
* @param string $name
* @return array
*/
protected function findConfiguration(string $name): array
{
$relevantConfiguration = [];
$this->pageRenderer->loadRequireJs();
$configuration = $this->pageRenderer->getRequireJsConfig(PageRenderer::REQUIREJS_SCOPE_RESOLVE);

$shim = $configuration['shim'] ?? [];
foreach ($shim as $baseModuleName => $baseModuleConfiguration) {
if (strpos($name . '/', $baseModuleName . '/') === 0) {
$relevantConfiguration['shim'][$baseModuleName] = $baseModuleConfiguration;
}
}

$paths = $configuration['paths'] ?? [];
foreach ($paths as $baseModuleName => $baseModulePath) {
if (strpos($name . '/', $baseModuleName . '/') === 0) {
$relevantConfiguration['paths'][$baseModuleName] = $baseModulePath;
}
}

$packages = $configuration['packages'] ?? [];
foreach ($packages as $package) {
if (!empty($package['name'])
&& strpos($name . '/', $package['name'] . '/') === 0
) {
$relevantConfiguration['packages'][] = $package;
}
}

return $relevantConfiguration;
}
}
Loading

0 comments on commit 9453d8a

Please # to comment.