CVE-2014-6289

@@ -115,12 +115,26 @@ class Tx_PtExtbase_Utility_AjaxDispatcher {
 	protected $pageUid;

 

 

+	/**

+	 * @var string

+	 */

+	protected $moduleSignature;

+

+

+	/**

+	 * @var array

+	 */

+	protected $dispatchCallArguments;

+

 

 	/**

 	 * Initializes dispatcher, dispatches request and echos it

 	 */

 	public function initAndEchoDispatch() {

 		// TODO perhaps we should send some headers here?

+

+		$this->dispatchCallArguments = func_get_args();

+

 		echo $this->initAndDispatch();

 	}

 

@@ -132,6 +146,9 @@ public function initAndEchoDispatch() {
      * Call this function if you want to use this dispatcher "standalone"

      */

     public function initAndDispatch() {

+

+		$this->dispatchCallArguments = func_get_args();

+

 		$this->initCallArguments();

 		$content = $this->dispatch();

         return $content;

@@ -146,6 +163,11 @@ public function initAndDispatch() {
      * ATTENTION: You should not call this method without initializing the dispatcher. Use initAndDispatch() instead!

      */

     public function dispatch() {

+

+		$this->dispatchCallArguments = func_get_args();

+		$this->checkModuleAccessIfInBackend();

+		$this->checkAllowedControllerActions();

+

         $configuration['extensionName'] = $this->extensionName;

         $configuration['pluginName'] = $this->pluginName;

 

@@ -166,6 +188,40 @@ public function dispatch() {
     }

 

 

+	/**

+	 * Use the ajaxID to determine the target module and check the users access on that module

+	 *

+	 * @throws Exception

+	 */

+	protected function checkModuleAccessIfInBackend() {

+		if(TYPO3_MODE === 'BE') {

+			if(is_array($this->dispatchCallArguments) && $this->dispatchCallArguments[1] instanceof TYPO3AJAX) {

+				$ajaxId = $this->dispatchCallArguments[1]->getAjaxID();

+				if(!stristr($ajaxId, '::')) throw new \Exception('Please name the ajaxId the following way: TargetModuleSignature::IndividualAJAXIdentifier. The current ajax ID is: ' . $ajaxId, 1391143615);

+				list($moduleSignature) = explode('::', $ajaxId);

+

+				$backendUser = $GLOBALS['BE_USER']; /** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication $backendUser */

+				$backendUser->modAccess(array('name' => $moduleSignature, 'access' => array('user', 'group')), TRUE);

+			}

+		}

+	}

+

+

+

+	/**

+	 * Check if the requested action is marked as accessible

+	 *

+	 * @throws Exception

+	 */

+	protected function checkAllowedControllerActions() {

+		if(!$this->extensionName || !$this->controllerName || !$this->actionName) throw new \Exception('Either extension, controller or action is undefined.', 1391146166);

+

+		$nameSpace = implode('.', array('TYPO3_CONF_VARS.EXTCONF.pt_extbase.ajaxDispatcher.allowedControllerActions', $this->extensionName, $this->controllerName, $this->actionName));

+		$actionAccess = Tx_PtExtbase_Utility_NameSpace::getArrayContentByArrayAndNamespace($GLOBALS, $nameSpace);

+		if($actionAccess !== TRUE) throw new \Exception('The requested controller / action is not allowed to be called via ajax / eId. You have to grant the access with the configuration: $GLOBALS[\'' . str_replace('.', "']['", $nameSpace) . "'] = TRUE; in your ext_localconf.php", 1391145113);

+	}

+

+	

 	

 	/**

 	 * @param null $pageUid

@@ -34,6 +34,10 @@
  * @author Daniel Lienert <daniel@lienert.cc>

  */

 

+if (!defined ('TYPO3_MODE')) {

+	die ('Access denied.');

+}

+

 require_once t3lib_extMgm::extPath('pt_extbase') . 'Classes/Utility/AjaxDispatcher.php';

 

 //Connect to database

@@ -1,137 +0,0 @@
-<?php

-/***************************************************************

-* Copyright notice

-*

-*   2010 Daniel Lienert <daniel@lienert.cc>, Michael Knoll <mimi@kaktusteam.de>

-* All rights reserved

-*

-*

-* This script is part of the TYPO3 project. The TYPO3 project is

-* free software; you can redistribute it and/or modify

-* it under the terms of the GNU General Public License as published by

-* the Free Software Foundation; either version 2 of the License, or

-* (at your option) any later version.

-*

-* The GNU General Public License can be found at

-* http://www.gnu.org/copyleft/gpl.html.

-*

-* This script is distributed in the hope that it will be useful,

-* but WITHOUT ANY WARRANTY; without even the implied warranty of

-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

-* GNU General Public License for more details.

-*

-* This copyright notice MUST APPEAR in all copies of the script!

-***************************************************************/

-

-/**

-* Utility to include defined frontend libraries as jQuery and related CSS

-*  

-*

-* @package Utility

-* @author Daniel Lienert <daniel@lienert.cc>

-*/

-

-class Tx_Yag_Utility_AjaxDispatcher {

-	

-	

-	/**

-	 * Extbase Object Manager

-	 * @var Tx_Extbase_Object_ObjectManager

-	 */

-	protected $objectManager;

-	

-	

-	/**

-	 * @var string

-	 */

-	protected $extensionName;

-	

-	

-	/**

-	 * @var string

-	 */

-	protected $pluginName;

-	

-	

-	/**

-	 * @var string

-	 */

-	protected $controllerName;

-	

-	

-	/**

-	 * @var string

-	 */

-	protected $actionName;

-	

-	

-	/**

-	 * @var array

-	 */

-	protected $arguments;

-	

-	

-	

-	/**

-	 * Called by ajax.php / eID.php

-	 * Builds an extbase context and returns the response

-	 */

-	public function dispatch() {

-		$this->prepareCallArguments();

-		

-		$configuration['extensionName'] = $this->extensionName;

-		$configuration['pluginName'] = $this->pluginName;

-		

-		

-		$bootstrap = t3lib_div::makeInstance('Tx_Extbase_Core_Bootstrap');

-		$bootstrap->initialize($configuration);

-		

-		$this->objectManager = t3lib_div::makeInstance('Tx_Extbase_Object_ObjectManager');

-

-		$request = $this->buildRequest();

-		$response = $this->objectManager->create('Tx_Extbase_MVC_Web_Response');

-		

-		$dispatcher =  $this->objectManager->get('Tx_Extbase_MVC_Dispatcher');

-		$dispatcher->dispatch($request, $response);

-

-		echo $response->getContent();

-	}

-

-	

-	

-	/**

-	 * Build a request object

-	 * 

-	 * @return Tx_Extbase_MVC_Web_Request $request

-	 */

-	protected function buildRequest() {

-		$request = $this->objectManager->get('Tx_Extbase_MVC_Web_Request'); /* @var $request Tx_Extbase_MVC_Request */

-		$request->setControllerExtensionName($this->extensionName);

-		$request->setPluginName($this->actionName);

-		$request->setControllerName($this->controllerName);

-		$request->setControllerActionName($this->actionName);

-		$request->setArguments($this->arguments);

-		

-		return $request;

-	}

-	

-	

-	

-	/**

-	 * Prepare the call arguments

-	 * @TODO escape / unescape values ?

-	 */

-	protected function prepareCallArguments() {

-		$callJSON = t3lib_div::_GP('call');

-		

-		//http://t3develop.harper/typo3/ajax.php?ajaxID=yagAjaxDispatcher&id=22&call={%22extensionName%22:%22Yag%22,%22pluginName%22:%22pi1%22,%22controllerName%22:%22Item%22,%22actionName%22:%22showSingle%22,%22arguments%22:{%22item%22:1}}

-		

-		$call = json_decode($callJSON, TRUE);

-		$this->extensionName 	= $call['extensionName'];

-		$this->pluginName 		= $call['pluginName'];

-		$this->controllerName 	= $call['controllerName'];

-		$this->actionName 		= $call['actionName'];

-		$this->arguments 		= $call['arguments'];	

-	}

-}

-?>
\ No newline at end of file

@@ -84,8 +84,6 @@
 	$TYPO3_CONF_VARS['BE']['AJAX']['txyagM1::getGalleryList'] = t3lib_extMgm::extPath('yag').'Classes/Utility/Flexform/RecordSelector.php:user_Tx_Yag_Utility_Flexform_RecordSelector->getGallerySelectList';
 	$TYPO3_CONF_VARS['BE']['AJAX']['txyagM1::getAlbumList'] = t3lib_extMgm::extPath('yag').'Classes/Utility/Flexform/RecordSelector.php:user_Tx_Yag_Utility_Flexform_RecordSelector->getAlbumSelectList';
 	$TYPO3_CONF_VARS['BE']['AJAX']['txyagM1::getImageList'] = t3lib_extMgm::extPath('yag').'Classes/Utility/Flexform/RecordSelector.php:user_Tx_Yag_Utility_Flexform_RecordSelector->getImageSelectList';
-	$TYPO3_CONF_VARS['BE']['AJAX']['yagAjaxDispatcher'] = t3lib_extMgm::extPath('yag').'Classes/Utility/AjaxDispatcher.php:Tx_Yag_Utility_AjaxDispatcher->dispatch';
-
 
 }