How to sanitize a $_GET on Typo3 extension? - typo3

I have an extension that access a file directory. I use an ajax function to send the path that needs to be access to the controller and in the controller I use a $_GET cause I haven't figure it out how to make it work otherwise.
$image_file_path = $_GET["url_region"];
$d = dir($image_file_path) or die("File not found!");
But of course when you request for something else like ../../.. you can access all other directories.
Could you suggest me a way to sanitize this? Please!

You should provide a cHash as URL parameter and let TYPO3 verify that. This way you can be sure the URL has been generated by TYPO3 itself and thus is valid.

You should consider using t3lib_div::_GET() which unescapes the parameters regardless what php.ini magic_quotes says.

You easily could use a regex to catch all "../" - values of the parameter. The other way could be, that the available paths being defined in a array, or something else, to check up the right access.

Related

How to generate and resolve custom URLs with TYPO3 9.5

Am using $GLOBALS['TSFE']->cObj->typoLink to generate a link and I've an additional parameter like this: ext__pluginname[d64]=31511 and would like to return something like a/b/c. I would then want TYPO3 to give me back the link so I can resolve it when clicked. I've already tried PersistedAliasMapper but won't allow to return anything with a slash in it. I've even tried a custom aspect mapper. I get the error:
Parameter "tx_ext__pluginname__d64" for route "enhancer_tx_ext__pluginname000000003e62d21a000000000514759a" must match "[^/]++" ("a/c" given) to generate a corresponding URL.
Am able to generate and resolve the slugs(urls). I can store them in db and retrieve them for that matter. No problem.
Am generating them from root page (uid 1).
How can i get this to work?
I assume you already have created the desired path in a database table or view already, making use of the slug feature in the TYPO3 backend or creating it yourself.
You could then use the PersistedAliasMapper in your site config (config/sites/default/config.yaml).
If you need multiple values in a single path divided by slashes (not a combined slug field), take a look at the route configuration for the news extension. You just have to use database mappers instead of static ones, but keep in mind this may impact the performance of the routing!
As you did not provide much detail about your use case, I don't really understand why you need such a path structure with slashes.

TYPO3 - Realurl default Settings overwrite?

How can I overwrite the default settings of the TYPO3 extension realurl with my own extension?
this dont work:
// RealUrl Config File
if (!isset($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['realurl']['configFile'])
|| empty(trim($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['realurl']['configFile']))
) {
$GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['realurl']['configFile'] = 'typo3conf/ext/xxx/Resources/Private/Hooks/realurl_conf.php';
}
How can I use this?
Probably the problem is that realurl is inialized and executed very early (it's the first process which needs to translate the speaking url to url parameter which decide which page and which plugin is rendered).
Your attempt to modify the assignment which is done normaly in typo3conf/LocalConfiguration.php could not be attached to that file as it is just an array, which gets written anew automatically every now and then.
You might add that to typo3conf/AdditionalConfiguration.php.
But why don't you request an admin to assign the path to the config-file in your extension in the realurl EM-config by hand?

How to pass filepath as a parameter to URL using perl

I am testing my perl code. I want to pass filepath as a paramter to the URL of the page.
The perl code is dependent on this filepath entirely.
When i set the filepath inside my perl code. (hard coded path), i am able to execute the perl code without any errors. Here is the variable
my $filename="\\\\sfoaepmdata.dcc.com\\folder\\data.txt";
If i pass it via URL, it doesnt work as expected. Can anyone suggest how to pass filepath as a variable in the URL ?
Here is what all i tried to someohow transfer $filename from url to perl code.
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=\\\\sfoaepmdata.dcc.com\\folder\\data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=\\sfoaepmdata.dcc.com\folder\data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=//sfoaepmdata.dcc.com/folder/data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=////sfoaepmdata.dcc.com//folder//data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=file://sfoaepmdata.dcc.com/folder/data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=file:////sfoaepmdata.dcc.com//folder//data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=http:////sfoaepmdata.dcc.com//folder//data.txt
http://apmqa.dcc.com/cgi-bin/test/editor.pl?filename=http://sfoaepmdata.dcc.com/folder/data.txt
The above data may seem confusing. But please only read values after ?ffilename. Can anyone pls suggest.
I also tried passing other normal paramters and it worked. for e.g.
$account=GEL; the filepath doesnt work.
http://apmqa.dcc.com/cgi-bin/test/editor.pl?account=GEL
the solution was pretty simple. i first need to get the user parameter converted to perl and then work on it accordingly.
$filename = $cgi->param('filename');
By this code, we will get the filepath from the user in $filename and we can work on the required file. Hope it helps someone. thanks.
The passed parameters to the URL would be as shown below
?filename=\\sfoaepmdata.dcc.com\folder\data.txt

Typo3 Indexed Search Local_Lang path

i am wondering what TS code is needed to set path to my own indexed search local_lang.
I changed what i needed in pi1/local_lang but i would like to set it to my own so i can have the edited (Croatian in this case) for future projects.
Something like:
plugin.tx_indexedsearch.templateFile = fileadmin/search_temp.html
but for Local_lang of it?
with this lines you can overwrite individual translations:
plugin.tx_myPlugin_pi1._LOCAL_LANG.de.key = value;
plugin.tx_myPlugin_pi1._LOCAL_LANG.en.key = value;
I think that not all extensions supports a complete own localLang file, but not 100% sure.
You could add your translation to the official Translation Server . So your translation will be available trough the Translation Modul in TYPO3 Backend.
The croation translation for indexed_search is managed there: http://translation.typo3.org/hr/TYPO3.TYPO3.core.indexed_search/
There is a single-sign-on with typo3.org implemented. So you need an account on typo3.org first.

How do I get the text-form verification code when doing auto site access in Perl?

I'm playing around with Win32::IE:Mechanize to try to access some authentication-required sites automatically. So far I've achieved moderate success, for example, I can automatically log in to my yahoo mailbox. But I find many sites are using some kind of image verification mechanism, which is possibly called CAPTCHA. I can do nothing to them. But one of the sites I'm trying to auto access is using a plain-text verification code. It is comnposed of four digits, selectable and copyable. But they're not in the source file which can be fetched using
$mech->content;
I searched for the keyword that appears on the webpage but not in the source file through all the files in the Temporary Internet Files but still can't find it.
Any idea what's going on? I was suspecting that the verification code was somehow hidden in some cookie file but I can't seem to find it :(
The following is the code that completes all the fields requirements except for the verification code:
use warnings;
use Win32::IE::Mechanize;
my $url = "http://www.zjsmap.com/smap/smap_login.jsp";
my $eccode = "myeccode";
my $username = "myaccountname";
my $password = "mypassword";
my $verify = "I can't figure out how to let the script get the code yet"
my $mech = Win32::IE::Mechanize->new(visible=>1);
$mech->get($url);
sleep(1); #avoids undefined value error
$mech->form_name("BaseForm");
$mech->field(ECCODE => $eccode);
$mech->field(MEMBERACCOUNT => $username);
$mech->field(PASSWORD => $password);
$mech->field(verify => $verify);
$mech->click();
Like always any suggestions/comments would be greatly appreciated :)
UPDATE
I've figured out a not-so-smart way to solve this problem. Please comment on my own asnwer posted below. Thanks like always :)
This is the reason why they are there. To stop program like yours to do automated stuff ;-)
A CAPTCHA or Captcha is a type of
challenge-response test used in
computing to ensure that the response
is not generated by a computer.
This appears to be an irrelevant number. The page uses it in 3 places: generating it; displaying it on the form next to the input field for it; and checking for the input value being equal to the random number chosen. That is, it is a client-only check. Still, if you disable javascript it looks like, I'm guessing, important cookies don't get set. If you can execute JavaScript in the context of the page (you should be able to with a get method call and a javascript URI), you could change the value of random_number to f.e. 42 and fill that in on the form.
The code is inserted by JavaScript – disable JS, reload the page and see it disappear. You have to hunt through the JS code to get an idea where it comes from and how to replicate it.
Thanks to james2vegas, zoul and Shoban.
I've finally figured out on my own a not-so-smart but at-least-workable way to solve the problem I described here. I'd like to share it here. I think the approach suggested by #james2vegas is probably much better...but anyway I'm learning along the way.
My approach is this:
Although the verification code is not in the source file but since it is still selectable and copyable, I can let my script copy everything in the login page and then extract the verification code.
To do this, I use the sendkeys functions in the Win32::Guitest module to do "Select All" and "Copy" to the login page.
Then I use Win32:Clipboard to get the clipboard content and then Regexp to extract the code. Something like this:
$verify = Win32::Clipboard::GetText();
$verify =~ s/.* (\d{4}).*/$1/msg;
A few thoughts:
The random number is generated by something like this in Perl
my $random_number = int(rand(8999)) + 1000; #var random_number = rand(1000,10000);
And then it checks if $verify == $random_number. I don't know how to catch the value of one-session-only $random_number. I think it is stored somewhere in the memory. If I can capture the value directly then I wouldn't have gone to so much trouble of using this and that extra module.