TYPO3 如何避免表单 objectID 操作？

Question

I would like to avoid the manipulation of the hidden field (__identify) in a form. For example the edit form. If someone goes to the inspector and change the value to another uid then the update action will actually update the manipulated value instead of the original.

Now if someone changes this to 8 then the update action will update the object with the uid 8.

Is there a way to avoid such action?

• TYPO3: v9
• Mode: Composer Mode

Best regards

Answer 1

Thanks to @Daniel Siepmann (typo3.slack.com) for pointing me to the right direction. So the answer is simple and easy to implement.

TYPO3 uses hmac for internal purposes and has a static function called hmac under the GeneralUtility class.

Concept:

We create a hidden field in the form with a hmac string based on the uid of the object and a word of your choice. (To make the decryption more difficult for the attacker). Then on the controller we regenerate the hmac with the uid that has been passed via the form arguments to the controller and the word we previously defined. If they match, then the object can be updated. If not, then we redirect the user to another page (Error or list view, it is up to you).

How to use it:

your_extension/Classes/Controller/YourController.php

public function editAction(Object $object)
{
   $hmac = GeneralUtility::hmac($object->getUid(), 'yourWord');
   $this->view->assign('hmac', $hmac);
   $this->view->assign('object', $object);
}

Here we generate the hmac based on the object uid and a word that you can alone specify. Then we pass it to the FrontEnd in order to add it on the hidden field and later to compare it.

VERY IMPORTANT: I would strongly recommend to use a word as well. It must be the same everywhere you use it. For me now the word is yourWord .

your_extension/Resources/Private/Templates/Edit.html

<f:form action="update" name="object" object="{object}" extensionName="ExtensionName" pageUid="{settings.flexform.pages.update.pid}" enctype="multipart/form-data">
    <f:form.hidden name="hmac" value="{hmac}" />
    {...}
</f:form>

Here we define the hidden field with the hmac value. We are going to compare it in the controller.

your_extension/Classes/Controller/YourController.php

public function initializeUpdateAction() {
   $args = $this->request->getArguments();

   /*Check if the user has not deleted the hmac hidden field*/
   if ($args['hmac']) {

      /*Regenerate the hmac to compare it with the one from the $args variable*/
       $hmac = GeneralUtility::hmac($args['object']['__identity'], 'yourWord');

       if ($hmac !== $args['hmac']) {
             $this->redirect('list', 'ControllerName', 'ExtensionName', null, $this->settings['global']['error']['pid']);
        }
   }
   else {
      $this->redirect('list', 'ControllerName', 'ExtensionName', null, $this->settings['global']['error']['pid']);
   }
}

Here we first evaluate if the hmac exists. The user might have deleted the hidden field to avoid the comparisson. If TYPO3 does not find any hmac in the passed arguments ( $args['hmac'] ) then it will redirect the user to the specified page and the object won't be updated.

If TYPO3 finds a hmac , then generates another hmac with the given uid ( $args['object']['__identity'] ) and the word you generated the previous hmac . If it does not match, that means that the user has manipulated the uid. Then TYPO3 redirects the user to the specified page and the object won't be updated.

All this could be written more elegantly but for the sake of this answer, i tried to make it short.

Best regards