Moderate severityNVD Advisory· Updated Mar 27, 2023
CVE-2023-1247
CVE-2023-1247
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | < 11.0.0 | 11.0.0 |
Patches
1da2af2d413b1[Task] Removed the functionality to input metadata html tags in SEO and settings (#14411)
10 files changed · +36 −213
bundles/AdminBundle/public/js/pimcore/document/pages/settings.js+1 −71 modified@@ -21,75 +21,6 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac if (this.layout == null) { - /** - * @deprecated 10.6 Will be removed in 11. - */ - // meta-data - var addMetaData = function (value) { - console.warn('Setting/Editing the `HTML-tags` field is deprecated'); - if(typeof value != "string") { - value = ""; - } - - var count = this.metaDataPanel.query("button").length+1; - - var compositeField = new Ext.form.FieldContainer({ - layout: 'hbox', - hideLabel: true, - items: [{ - xtype: "textfield", - value: value, - width: 636, - name: "metadata_" + count, - }] - }); - - compositeField.add({ - xtype: "button", - iconCls: "pimcore_icon_delete", - handler: function (compositeField, el) { - this.metaDataPanel.remove(compositeField); - this.metaDataPanel.updateLayout(); - }.bind(this, compositeField) - }); - - this.metaDataPanel.add(compositeField); - this.metaDataPanel.updateLayout(); - }.bind(this); - - var user = pimcore.globalmanager.get("user"); - if (user.admin) { - /** - * @deprecated 10.6 Will be removed in 11. - */ - this.metaDataPanel = new Ext.form.FieldSet({ - title: t("html_tags") + " (<meta .../> <link .../> ...) (Deprecated)", - collapsible: false, - autoHeight: true, - width: 700, - style: "margin-top: 20px;", - items: [{ - xtype: "toolbar", - style: "margin-bottom: 10px;", - items: ["->", { - xtype: 'button', - iconCls: "pimcore_icon_add", - handler: addMetaData - }] - }] - }); - - try { - if (typeof this.document.data.metaData == "object" && this.document.data.metaData.length > 0) { - for (var r = 0; r < this.document.data.metaData.length; r++) { - addMetaData(this.document.data.metaData[r]); - } - } - } catch (e) { - } - } - - var updateSerpPreview = function () { var metaPanel = this.layout.getComponent("metaDataPanel"); @@ -144,7 +75,7 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac items: [ { xtype:'fieldset', - title: t('title') + ", " + t("description") + " & " + t('metadata'), + title: t('title') + " & " + t("description"), itemId: "metaDataPanel", collapsible: true, autoHeight:true, @@ -185,7 +116,6 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac } } }, - this.metaDataPanel, { xtype: "container", itemId: "serpPreview",
bundles/AdminBundle/src/Controller/Admin/Document/PageController.php+0 −11 modified@@ -148,17 +148,6 @@ public function saveAction(Request $request, StaticPageGenerator $staticPageGene } } - // check if settings exist, before saving meta data - if ($request->get('settings') && is_array($settings)) { - $metaData = []; - for ($i = 1; $i < 30; $i++) { - if (array_key_exists('metadata_' . $i, $settings)) { - $metaData[] = $settings['metadata_' . $i]; - } - } - $page->setMetaData($metaData); - } - list($task, $page, $version) = $this->saveDocument($page, $request); $arguments = [ 'oldPage' => $oldPage,
bundles/CoreBundle/config/event_listeners.yaml+0 −3 modified@@ -53,9 +53,6 @@ services: calls: - [setLogger, ['@logger']] - # Adds Meta Data entries of document to HeadMeta view helper - Pimcore\Bundle\CoreBundle\EventListener\Frontend\DocumentMetaDataListener: ~ - Pimcore\Bundle\CoreBundle\EventListener\Frontend\DocumentRendererListener: ~ Pimcore\Bundle\CoreBundle\EventListener\Frontend\StaticPageGeneratorListener: ~
bundles/CoreBundle/src/EventListener/Frontend/DocumentMetaDataListener.php+0 −82 removed@@ -1,82 +0,0 @@ -<?php -declare(strict_types=1); - -/** - * Pimcore - * - * This source file is available under two different licenses: - * - GNU General Public License version 3 (GPLv3) - * - Pimcore Commercial License (PCL) - * Full copyright and license information is available in - * LICENSE.md which is distributed with this source code. - * - * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org) - * @license http://www.pimcore.org/license GPLv3 and PCL - */ - -namespace Pimcore\Bundle\CoreBundle\EventListener\Frontend; - -use Pimcore\Bundle\CoreBundle\EventListener\Traits\PimcoreContextAwareTrait; -use Pimcore\Http\Request\Resolver\DocumentResolver as DocumentResolverService; -use Pimcore\Http\Request\Resolver\PimcoreContextResolver; -use Pimcore\Model\Document\Page; -use Pimcore\Twig\Extension\Templating\HeadMeta; -use Symfony\Component\EventDispatcher\EventSubscriberInterface; -use Symfony\Component\HttpKernel\Event\RequestEvent; -use Symfony\Component\HttpKernel\KernelEvents; - -/** - * Adds Meta Data entries of document to HeadMeta view helper - * - * @internal - */ -class DocumentMetaDataListener implements EventSubscriberInterface -{ - use PimcoreContextAwareTrait; - - public const FORCE_INJECTION = '_pimcore_force_document_meta_data_injection'; - - public function __construct(protected DocumentResolverService $documentResolverService, protected HeadMeta $headMeta) - { - } - - /** - * {@inheritdoc} - */ - public static function getSubscribedEvents(): array - { - return [ - KernelEvents::REQUEST => ['onKernelRequest'], - ]; - } - - /** - * Finds the nearest document for the current request if the routing/document router didn't (e.g. static routes) - * - * @param RequestEvent $event - */ - public function onKernelRequest(RequestEvent $event): void - { - $request = $event->getRequest(); - - // just add meta data on master request - if (!$event->isMainRequest() && !$event->getRequest()->attributes->get(self::FORCE_INJECTION)) { - return; - } - - if (!$this->matchesPimcoreContext($request, PimcoreContextResolver::CONTEXT_DEFAULT)) { - return; - } - - $document = $this->documentResolverService->getDocument($request); - - //check if document is set and if route is a document route for exactly that document - if ($document && $request->get('_route') == 'document_' . $document->getId()) { - if ($document instanceof Page && is_array($document->getMetaData())) { - foreach ($document->getMetaData() as $meta) { - $this->headMeta->addRaw($meta); - } - } - } - } -}
bundles/CoreBundle/src/Migrations/Version20230222174636.php+32 −0 added@@ -0,0 +1,32 @@ +<?php + +declare(strict_types=1); + +namespace Pimcore\Bundle\CoreBundle\Migrations; + +use Doctrine\DBAL\Schema\Schema; +use Doctrine\Migrations\AbstractMigration; + +final class Version20230222174636 extends AbstractMigration +{ + public function getDescription(): string + { + return ''; + } + + public function up(Schema $schema): void + { + if($schema->getTable('documents_page')->hasColumn('metaData')) { + $this->addSql('ALTER TABLE documents_page DROP COLUMN metaData'); + } + + } + + public function down(Schema $schema): void + { + if(!$schema->getTable('documents_page')->hasColumn('metaData')) { + $this->addSql('ALTER TABLE documents_page ADD COLUMN `metaData` TEXT AFTER `description`'); + } + + } +}
bundles/InstallBundle/dump/install.sql+0 −1 modified@@ -165,7 +165,6 @@ CREATE TABLE `documents_page` ( `template` varchar(255) DEFAULT NULL, `title` varchar(255) DEFAULT NULL, `description` varchar(383) DEFAULT NULL, - `metaData` text, `prettyUrl` varchar(255) DEFAULT NULL, `contentMasterDocumentId` int(11) DEFAULT NULL, `targetGroupIds` varchar(255) NOT NULL DEFAULT '',
bundles/PersonalizationBundle/src/Model/Document/Page/Dao.php+1 −0 modified@@ -27,4 +27,5 @@ class Dao extends Model\Document\Page\Dao implements TargetingDocumentDaoInterface { use TargetingDocumentDaoTrait; + }
doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md+1 −0 modified@@ -223,6 +223,7 @@ pimcore_seo: auto_create_redirects: true ``` - [DataObject] Added new helper inheritance helper function `DataObject\Serivce::useInheritedValues` +- [Page] Removed the functionality to input `metadata` html tags in Settings section of the document. ## 10.6.0
models/Document/Page/Dao.php+1 −6 modified@@ -43,12 +43,7 @@ public function getById(int $id = null): void WHERE documents.id = ?", [$this->model->getId()]); if (!empty($data['id'])) { - if (is_string($data['metaData'])) { - $data['metaData'] = @unserialize($data['metaData']); - } - if (!is_array($data['metaData'])) { - $data['metaData'] = []; - } + $this->assignVariablesToModel($data); } else { throw new Model\Exception\NotFoundException('Page with the ID ' . $this->model->getId() . " doesn't exists");
models/Document/Page.php+0 −39 modified@@ -41,13 +41,6 @@ class Page extends PageSnippet */ protected string $description = ''; - /** - * @internal - * - * @var array - */ - protected array $metaData = []; - /** * {@inheritdoc} */ @@ -84,38 +77,6 @@ public function setTitle(string $title): static return $this; } - /** - * @deprecated - * - * @return $this - */ - public function setMetaData(array $metaData): static - { - trigger_deprecation( - 'pimcore/pimcore', - '10.6.0', - sprintf('%s is deprecated and will be removed in Pimcore 11.', __METHOD__) - ); - - $this->metaData = $metaData; - - return $this; - } - - /** - * @deprecated - */ - public function getMetaData(): array - { - trigger_deprecation( - 'pimcore/pimcore', - '10.6.0', - sprintf('%s is deprecated and will be removed in Pimcore 11.', __METHOD__) - ); - - return $this->metaData; - } - public function getFullPath(bool $force = false): string { $path = parent::getFullPath($force);
Vulnerability mechanics
Not enough inputs (no patches or CWE) to synthesize mechanics for this CVE.
References
4News mentions
0No linked articles in our index yet.