[BUGFIX] Fix secity issue

* Provide information about new configuration * Add new configuration option to white list parameter as needed * Deliver 404 if url is invalid Resolves: #1
web-vision · Oct 31, 2015 · 2a9616e · 2a9616e
1 parent 3f30893
commit 2a9616e
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 11 deletions.
diff --git a/Classes/Utility/UrlUtility.php b/Classes/Utility/UrlUtility.php
@@ -39,7 +39,8 @@ public function urlAvailable($urlToCheck)
             array(),
             $responseHeader
         );
-        return ($responseHeader['http_code'] === '200');
+
+        return ($responseHeader['http_code'] === 200);
     }
 
     /**
@@ -61,7 +62,7 @@ public function filterUrl($urlToFilter, array $parameterWhitelist)
         $filteredUrl = $parsedUrl['scheme'] . '://' . $parsedUrl['host'] . $parsedUrl['path'];
         $urlQuery = array_filter(
             explode('&', $parsedUrl['query']),
-            function ($queryParameter) {
+            function ($queryParameter) use ($parameterName) {
                 list($parameterName) = explode('=', $queryParameter);
                 if(!in_array($parameterName, $parameterWhitelist)) {
                     return false;

diff --git a/Configuration/TypoScript/constants.txt b/Configuration/TypoScript/constants.txt
@@ -7,6 +7,6 @@ plugin.wv_pdfgen {
     # cat=plugin.tx_wv_pdfgen; type=string; label=LLL:EXT:wv_pdfgen/Resources/Private/Language/Backend.xlf:option.urlExtension
     urlExtension = .pdf
 
-    #
-    parameterWhitelist = cHash, type, L, id
+    # cat=plugin.tx_wv_pdfgen; type=string; label=LLL:EXT:wv_pdfgen/Resources/Private/Language/Backend.xlf:option.parameterWhitelist
+    parameterWhitelist = cHash, L, id
 }
diff --git a/Configuration/TypoScript/setup.txt b/Configuration/TypoScript/setup.txt
@@ -16,6 +16,7 @@ pdf {
         # The extension to remove from url, e.g. you can configure realurl to hide the type and how ".pdf".
         urlExtension = {$plugin.wv_pdfgen.urlExtension}
 
+        # List of parameters that are kept during PDF generation.
         parameterWhitelist = {$plugin.wv_pdfgen.parameterWhitelist}
     }
 }
diff --git a/Resources/Private/Language/backend.xlf b/Resources/Private/Language/backend.xlf
@@ -12,6 +12,9 @@
             <trans-unit id="option.urlExtension" xml:space="preserve">
                 <source>URL Extension to remove:Extensions like realurl can map the typeNum to something else like ".pdf". Configure this, so we can use the url.</source>
             </trans-unit>
+            <trans-unit id="option.parameterWhitelist" xml:space="preserve">
+                <source>List of allowd url parameters:All others are removed for security.</source>
+            </trans-unit>
         </body>
     </file>
 </xliff>
diff --git a/Resources/Private/Language/de.backend.xlf b/Resources/Private/Language/de.backend.xlf
@@ -15,6 +15,10 @@
                 <source>URL Extension to remove:Extensions like realurl can map the typeNum to something else like ".pdf". Configure this, so we can use the url.</source>
                 <target>Url-Erweiterung zum entfernen:Extensions wie realurl ermöglichen das umschreiben des type-Parameter zu z.B. ".pdf". Damit die korrekte URL genutzt werden kann muss dies angegeben werden.</target>
             </trans-unit>
+            <trans-unit id="option.parameterWhitelist" xml:space="preserve">
+                <source>List of allowd url parameters:All others are removed for security.</source>
+                <target>Liste mit erlaubten URL-Parametern:Alle anderen Parameter werden während des Aufrufs aus Sicherheitsgründen entfernt.</target>
+            </trans-unit>
         </body>
     </file>
 </xliff>
diff --git a/ext_emconf.php b/ext_emconf.php
@@ -3,7 +3,7 @@
     'title' => 'PDF generation for pages',
     'description' => 'Will generate a PDF version of any page using wkhtmltopdf.',
     'category' => 'frontend',
-    'version' => '1.0.0',
+    'version' => '1.0.1',
     'state' => 'beta',
     'createDirs' => '',
     'clearcacheonload' => false,

diff --git a/readme.md b/readme.md
@@ -5,9 +5,15 @@ Provide an easy way to generate a PDF for any page you have.
 # Setup
 
 Install the extension as usual. Include the static TypoScript where you need
-paged to be generated as PDF.
+pages to be generated as PDF.
 
-Call the given page with the configured `type=` parameter.
+## Enable use of CURL
+
+Please activate the use of curl in TYPO3 `'curlUse' => '1'`. The extension will
+check the provided urls for availability and deliver a 404 if the url is not
+valid.
+
+If the option is not set, the extension won't work.
 
 # Configuration
 
@@ -64,6 +70,11 @@ This configuration will allow to generate urls like
 `http://domain.tld/some-path/some-site.pdf` as pdf version of
 `http://domain.tld/some-path/some-site.html`
 
+# Usage
+
+Call the page, which should be delivered as PDF, with the configured `type=`
+parameter.
+
 # Security
 
 This extension will do a system call to generate the PDFs. While doing so, some
@@ -86,7 +97,3 @@ if you don't remove old ones.
 We will add such things later, but most of them are very easy to extend. So do
 it your own and bring back the efforts to others. Send in Pull Requests /
 patches to the author
-
-We will add such things later, but most of them are very easy to extend. So do
-it your own and bring back the efforts to others. Send in Pull Requests /
-patches to the author.