37
37
use Throwable ;
38
38
use TYPO3 \CMS \Core \Configuration \Exception \ExtensionConfigurationExtensionNotConfiguredException ;
39
39
use TYPO3 \CMS \Core \Configuration \Exception \ExtensionConfigurationPathDoesNotExistException ;
40
+ use TYPO3 \CMS \Core \Context \Context ;
41
+ use TYPO3 \CMS \Core \Context \SecurityAspect ;
40
42
use TYPO3 \CMS \Core \Http \PropagateResponseException ;
43
+ use TYPO3 \CMS \Core \Security \RequestToken ;
41
44
use TYPO3 \CMS \Core \Utility \ArrayUtility ;
42
45
use TYPO3 \CMS \Core \Utility \GeneralUtility ;
43
46
use TYPO3 \CMS \Extbase \Annotation as ExtbaseAnnotation ;
@@ -82,12 +85,14 @@ public function formAction(): ResponseInterface
82
85
);
83
86
$ form = $ event ->getForm ();
84
87
SessionUtility::saveFormStartInSession ($ this ->settings , $ form );
88
+ $ requestToken = RequestToken::create ('powermail/create ' );
85
89
$ this ->view ->assignMultiple (
86
90
[
87
91
'form ' => $ form ,
88
92
'ttContentData ' => $ this ->contentObject ->data ,
89
93
'messageClass ' => $ this ->messageClass ,
90
94
'action ' => ($ this ->settings ['main ' ]['confirmation ' ] ? 'checkConfirmation ' : 'checkCreate ' ),
95
+ 'requestToken ' => $ requestToken ,
91
96
]
92
97
);
93
98
@@ -262,6 +267,35 @@ public function createAction(Mail $mail, string $hash = ''): ResponseInterface
262
267
if ($ mail ->getUid () !== null && !HashUtility::isHashValid ($ hash , $ mail )) {
263
268
return (new ForwardResponse ('form ' ))->withoutArguments ();
264
269
}
270
+ $ context = GeneralUtility::makeInstance (Context::class);
271
+ $ securityAspect = SecurityAspect::provideIn ($ context );
272
+ $ requestToken = $ securityAspect ->getReceivedRequestToken ();
273
+
274
+ if ($ requestToken === null ) {
275
+ $ this ->addFlashMessage (
276
+ LocalizationUtility::translate ('error_requesttoken_missing ' ),
277
+ \TYPO3 \CMS \Core \Type \ContextualFeedbackSeverity::ERROR
278
+ );
279
+ $ this ->messageClass = 'error ' ;
280
+ return (new ForwardResponse ('form ' ))->withArguments (['messageClass ' => $ this ->messageClass ]);
281
+ }
282
+ if ($ requestToken === false ) {
283
+ $ this ->addFlashMessage (
284
+ LocalizationUtility::translate ('error_requesttoken_not_verified ' ),
285
+ \TYPO3 \CMS \Core \Type \ContextualFeedbackSeverity::ERROR
286
+ );
287
+ $ this ->messageClass = 'error ' ;
288
+ return (new ForwardResponse ('form ' ))->withArguments (['messageClass ' => $ this ->messageClass ]);
289
+ }
290
+ if ($ requestToken ->scope !== 'powermail/create ' ) {
291
+ $ this ->addFlashMessage (
292
+ LocalizationUtility::translate ('error_requesttoken_wrong_scope ' ),
293
+ \TYPO3 \CMS \Core \Type \ContextualFeedbackSeverity::ERROR
294
+ );
295
+ $ this ->messageClass = 'error ' ;
296
+ return (new ForwardResponse ('form ' ))->withArguments (['messageClass ' => $ this ->messageClass ]);
297
+ }
298
+
265
299
$ event = GeneralUtility::makeInstance (FormControllerCreateActionBeforeRenderViewEvent::class, $ mail , $ hash , $ this );
266
300
$ this ->eventDispatcher ->dispatch ($ event );
267
301
$ mail = $ event ->getMail ();
@@ -322,6 +356,14 @@ public function createAction(Mail $mail, string $hash = ''): ResponseInterface
322
356
$ this ->contentObject
323
357
);
324
358
359
+ // The middleware takes care to remove the cookie in case no other
360
+ // nonce value shall be emitted during the current HTTP request
361
+ if ($ requestToken ->getSigningSecretIdentifier () !== null ) {
362
+ $ securityAspect ->getSigningSecretResolver ()->revokeIdentifier (
363
+ $ requestToken ->getSigningSecretIdentifier (),
364
+ );
365
+ }
366
+
325
367
return $ this ->htmlResponse ();
326
368
}
327
369
@@ -372,6 +414,7 @@ protected function sendMailPreflight(Mail $mail, string $hash = ''): void
372
414
*/
373
415
protected function prepareOutput (Mail $ mail ): void
374
416
{
417
+ $ requestToken = RequestToken::create ('powermail/create ' );
375
418
$ this ->view ->assignMultiple (
376
419
[
377
420
'variablesWithMarkers ' => $ this ->mailRepository ->getVariablesWithMarkersFromMail ($ mail , true ),
@@ -382,6 +425,7 @@ protected function prepareOutput(Mail $mail): void
382
425
'uploadService ' => $ this ->uploadService ,
383
426
'powermail_rte ' => $ this ->settings ['thx ' ]['body ' ],
384
427
'powermail_all ' => TemplateUtility::powermailAll ($ mail , 'web ' , $ this ->settings , $ this ->actionMethodName ),
428
+ 'requestToken ' => $ requestToken ,
385
429
]
386
430
);
387
431
$ this ->view ->assignMultiple ($ this ->mailRepository ->getVariablesWithMarkersFromMail ($ mail , true ));
0 commit comments