[WIP][BUGFIX] Prevent possible disk-filler

* As it was possible to modify the url and generate pdf files via script
  to fill up the fiel system, we needed to provide a whitelist for
  parameter to limit valid urls

Resolves: #1

Classes/Generator/Pdf.php

@@ -56,6 +56,10 @@ class Pdf
     public function main($content, array $conf)
     {
         $this->processConfiguration($conf);
+
+        if(!$this->pageAvailable()) {
+            $GLOBALS['TSFE']->pageNotFoundAndExit();
+        }
         $this->generatePdf();
 
         // Redirect to PDF in file system
@@ -109,6 +113,45 @@ protected function getPdfUrl()
         return $this->getDomain() . str_replace(PATH_site, '', $this->getFileName());
     }
 
+    protected function pageAvailable()
+    {
+        $responseHeader = array();
+        \TYPO3\CMS\Core\Utility\GeneralUtility::getUrl(
+            $this->getUrlForGeneration(),
+            2,
+            array(),
+            $responseHeader
+        );
+        return ($responseHeader['http_code'] === '200');
+    }
+
+    protected function filterUrl($urlToFilter)
+    {
+        $filteredUrl = '';
+        $parsedUrl = parse_url($urlToFilter);
+        if(!isset($parsedUrl['query'])) {
+            return $urlToFilter;
+        }
+
+        $filteredUrl = $parsedUrl['scheme'] . '://' . $parsedUrl['host'] . $parsedUrl['path'];
+        $urlQuery = array_filter(
+            explode('&', $parsedUrl['query']),
+            function ($queryParameter) {
+                list($parameterName) = explode('=', $queryParameter);
+                if(!in_array($parameterName, $this->configuration['parameterWhitelist'])) {
+                    return false;
+                }
+                return true;
+            }
+        );
+
+        if(count($urlQuery) > 0) {
+            $filteredUrl .= '?' . implode('&', $urlQuery);
+        }
+
+        return $filteredUrl;
+    }
+
     /**
      * Get url to use for PDF generation.
      *
@@ -118,7 +161,7 @@ protected function getPdfUrl()
      */
     protected function getUrlForGeneration()
     {
-        $urlToConvert = $this->getDomain() . $GLOBALS['TSFE']->siteScript;
+        $urlToConvert = $this->filterUrl($this->getDomain() . $GLOBALS['TSFE']->siteScript);
 
         // Remove type parameter to generate the real url, not the PDF (= endless loop)
         $urlToConvert = str_ireplace('type=' . $this->configuration['typeNum'], '', $urlToConvert);
@@ -163,6 +206,10 @@ protected function processConfiguration(array $configuration)
             }
 
             $this->configuration[$key] = $value;
+
+            if($key === 'parameterWhitelist') {
+                $this->configuration[$key] = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', $value);
+            }
         }
 
         // Process only the cli parameter configuration

Configuration/TypoScript/constants.txt

@@ -6,4 +6,7 @@ plugin.wv_pdfgen {
     type = 100
     # cat=plugin.tx_wv_pdfgen; type=string; label=LLL:EXT:wv_pdfgen/Resources/Private/Language/Backend.xlf:option.urlExtension
     urlExtension = .pdf
+
+    #
+    parameterWhitelist = cHash, type, L, id
 }

Configuration/TypoScript/setup.txt

@@ -1,6 +1,5 @@
 pdf = PAGE
 pdf {
-
     # Configure type for PDF output
     typeNum = {$plugin.wv_pdfgen.type}
 
@@ -16,6 +15,7 @@ pdf {
         typeNum < pdf.typeNum
         # The extension to remove from url, e.g. you can configure realurl to hide the type and how ".pdf".
         urlExtension = {$plugin.wv_pdfgen.urlExtension}
-    }
 
+        parameterWhitelist = {$plugin.wv_pdfgen.parameterWhitelist}
+    }
 }