/**
* Lists all public controller actions not covered by the active security policy
*
* @return void
*/
public function showUnprotectedActionsCommand()
{
$controllerClassNames = $this->reflectionService->getAllSubClassNamesForClass('TYPO3\\Flow\\Mvc\\Controller\\AbstractController');
$allActionsAreProtected = TRUE;
foreach ($controllerClassNames as $controllerClassName) {
if ($this->reflectionService->isClassAbstract($controllerClassName)) {
continue;
}
$methodNames = get_class_methods($controllerClassName);
$foundUnprotectedAction = FALSE;
foreach ($methodNames as $methodName) {
if (preg_match('/.*Action$/', $methodName) === 0 || $this->reflectionService->isMethodPublic($controllerClassName, $methodName) === FALSE) {
continue;
}
if ($this->policyService->hasPolicyEntryForMethod($controllerClassName, $methodName) === FALSE) {
if ($foundUnprotectedAction === FALSE) {
$this->outputLine(PHP_EOL . '<b>' . $controllerClassName . '</b>');
$foundUnprotectedAction = TRUE;
$allActionsAreProtected = FALSE;
}
$this->outputLine(' ' . $methodName);
}
}
}
if ($allActionsAreProtected === TRUE) {
$this->outputLine('All public controller actions are covered by your security policy. Good job!');
}
}
/**
* Matches a \TYPO3\Flow\Mvc\RequestInterface against the configured CSRF pattern rules and
* searches for invalid csrf tokens. If this returns TRUE, the request is invalid!
*
* @param \TYPO3\Flow\Mvc\RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException
*/
public function matchRequest(\TYPO3\Flow\Mvc\RequestInterface $request)
{
if (!$request instanceof ActionRequest || $request->getHttpRequest()->isMethodSafe()) {
$this->systemLogger->log('No CSRF required, safe request', LOG_DEBUG);
return FALSE;
}
if ($this->authenticationManager->isAuthenticated() === FALSE) {
$this->systemLogger->log('No CSRF required, not authenticated', LOG_DEBUG);
return FALSE;
}
if ($this->securityContext->areAuthorizationChecksDisabled() === TRUE) {
$this->systemLogger->log('No CSRF required, authorization checks are disabled', LOG_DEBUG);
return FALSE;
}
$controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName());
$actionName = $request->getControllerActionName() . 'Action';
if (!$this->policyService->hasPolicyEntryForMethod($controllerClassName, $actionName)) {
$this->systemLogger->log(sprintf('CSRF protection filter: allowed %s request without requiring CSRF token because action "%s" in controller "%s" is not restricted by a policy.', $request->getHttpRequest()->getMethod(), $actionName, $controllerClassName), LOG_NOTICE);
return FALSE;
}
if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionName, 'skipcsrfprotection')) {
return FALSE;
}
$httpRequest = $request->getHttpRequest();
if ($httpRequest->hasHeader('X-Flow-Csrftoken')) {
$csrfToken = $httpRequest->getHeader('X-Flow-Csrftoken');
} else {
$internalArguments = $request->getMainRequest()->getInternalArguments();
$csrfToken = isset($internalArguments['__csrfToken']) ? $internalArguments['__csrfToken'] : NULL;
}
if (empty($csrfToken)) {
$this->systemLogger->log('CSRF token was empty', LOG_DEBUG);
return TRUE;
}
if (!$this->securityContext->hasCsrfProtectionTokens()) {
throw new \TYPO3\Flow\Security\Exception\AuthenticationRequiredException('No tokens in security context, possible session timeout', 1317309673);
}
if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === FALSE) {
$this->systemLogger->log('CSRF token was invalid', LOG_DEBUG);
return TRUE;
}
// the CSRF token was necessary and is valid
return FALSE;
}
