Security issues, bugfix for relative resource reference, documentation

Author: mwitte

Classes/TechDivision/DocViewer/AccessManager.php

@@ -18,13 +18,20 @@ class AccessManager extends AbstractModuleController
 	 */
 	protected $packagesConfiguration;
 
+	/**
+	 * @Flow\Inject
+	 * @var \TYPO3\Flow\Package\PackageManagerInterface
+	 */
+	protected $packageManager;
+
 	/**
 	 * Determines if given package key should be accessable
 	 *
 	 * @param string $packageKey
 	 * @return bool
 	 */
 	public function isPackageAccessable($packageKey) {
-		return !in_array($packageKey, $this->packagesConfiguration['hide']);
+		return $this->packageManager->isPackageActive($packageKey) && !in_array($packageKey, $this->packagesConfiguration['hide']);
 	}
+
 }

Classes/TechDivision/DocViewer/Controller/ModuleController.php

@@ -9,6 +9,7 @@
 use TechDivision\DocViewer\File\Parser;
 use TechDivision\DocViewer\File\Tree;
 
+use TechDivision\DocViewer\Util;
 use TYPO3\Flow\Annotations as Flow;
 use TYPO3\Neos\Controller\Module\AbstractModuleController;
 
@@ -38,11 +39,23 @@ class ModuleController extends AbstractModuleController
 	 */
 	protected $accessManager;
 
-    /**
-     * @return void
-     */
-    public function indexAction()
-    {
+	/**
+	 * Routes to list or show action depending on configuration
+	 * @return void
+	 */
+	public function indexAction() {
+		if(isset($this->packagesConfiguration['entryPackage']) && $this->accessManager->isPackageAccessable($this->packagesConfiguration['entryPackage'])) {
+			$this->forward('show', null, null, array('package' => $this->packagesConfiguration['entryPackage']));
+		} else {
+			$this->forward('list');
+		}
+	}
+
+	/**
+	 * Lists packages with documentation depending on configuration
+	 * @return void
+	 */
+	public function listAction() {
 
 		$packageGroups = array();
 
@@ -63,7 +76,7 @@ public function indexAction()
 				continue;
 			}
 
-			$tree = new Tree($packageGroup, $package->getPackageKey(), $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
+			$tree = new Tree($package, $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
 
 			if(!$tree->isDirectoryWithContent()) {
 				continue;
@@ -74,37 +87,31 @@ public function indexAction()
 				'version' => $package->getInstalledVersion(),
 				'name' => $package->getComposerManifest('name'),
 				'type' => $package->getComposerManifest('type'),
-				'description' => $package->getPackageMetaData()->getDescription(),
-				'metaData' => $package->getPackageMetaData(),
-				'isActive' => $this->packageManager->isPackageActive($package->getPackageKey()),
-				'isFrozen' => $this->packageManager->isPackageFrozen($package->getPackageKey()),
-				'isProtected' => $package->isProtected(),
-				'hasDoc' => $tree->isDirectoryWithContent()
+				'description' => $package->getPackageMetaData()->getDescription()
 			);
 
 		}
 
 		$this->view->assign('packageGroups', $packageGroups);
-
 	}
 
 	/**
-	 * @param string $packageKey
-	 * @param string $packageType
+	 * Shows documentation of given package
+	 * @param string $package
 	 * @param string $filePath
+	 * @throws PackageNotAccessableException
+	 * @return void
 	 */
-	public function showAction($packageKey, $packageType, $filePath = null) {
-
+	public function showAction($package, $filePath = null) {
 		$baseUri = $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri();
 
-		if (!$this->accessManager->isPackageAccessable($packageKey)) {
-			throw new PackageNotAccessableException("You are not allowed to access the package " . $packageKey);
+		if (!$this->accessManager->isPackageAccessable($package)) {
+			throw new PackageNotAccessableException("You are not allowed to access the package " . $package);
 		}
+		$package = $this->packageManager->getPackage($package);
+		$this->view->assign('packageKey', $package->getPackageKey());
 
-		$this->view->assign('packageKey', $packageKey);
-		$this->view->assign('packageType', $packageType);
-
-		$tree = new Tree($packageType, $packageKey, $baseUri);
+		$tree = new Tree($package, $baseUri);
 
 		if(!$tree->isDirectoryWithContent()) {
 			$this->addFlashMessage('No documention could be found');

Classes/TechDivision/DocViewer/Controller/ResourceController.php

@@ -25,22 +25,28 @@ class ResourceController extends \TYPO3\Flow\Mvc\Controller\ActionController
 	protected $accessManager;
 
 	/**
-	 * @param string $packageType
-	 * @param string $packageKey
+	 * @Flow\Inject
+	 * @var \TYPO3\Flow\Package\PackageManagerInterface
+	 */
+	protected $packageManager;
+
+	/**
+	 * @param string $package
 	 * @param string $filePath
 	 * @return mixed
 	 */
-	public function rawAction($packageType, $packageKey, $filePath) {
+	public function rawAction($package, $filePath) {
 
-		if (!$this->accessManager->isPackageAccessable($packageKey)) {
-			throw new PackageNotAccessableException("You are not allowed to access the package " . $packageKey);
+		if (!$this->accessManager->isPackageAccessable($package)) {
+			throw new PackageNotAccessableException("You are not allowed to access the package " . $package);
 		}
 
-		$docDir = Util::getDocumentPath($packageType, $packageKey);
+		$docDir = Util::getDocumentPath($this->packageManager->getPackage($package));
 		$filePath = realpath($docDir . DIRECTORY_SEPARATOR . Parser::urlDecodeFilePath($filePath));
 
+		// take care given file path is sub path of the doc dir of the package
 		if(strpos($filePath, $docDir) === false) {
-			throw new FileNotInsideDocumentationException("You are not allowed to acces files outside the documentation folder");
+			throw new FileNotInsideDocumentationException("You are not allowed to access files outside the documentation folder");
 		}
 
 		$contentType = finfo_file(finfo_open(FILEINFO_MIME_TYPE), $filePath);

Classes/TechDivision/DocViewer/File/Node.php

@@ -16,15 +16,11 @@ class Node {
 	 */
 	protected $name;
 
-	/**
-	 * @var string
-	 */
-	protected $packageType;
 
 	/**
-	 * @var string
+	 * @var \TYPO3\Flow\Package\PackageInterface $package
 	 */
-	protected $packageKey;
+	protected $package;
 
 	/**
 	 * @var boolean
@@ -63,21 +59,21 @@ class Node {
 
 	/**
 	 * Node constructor.
+	 * @param \TYPO3\Flow\Package\PackageInterface $package
 	 * @param $path
 	 */
-	public function __construct($packageType, $packageKey, $path)
+	public function __construct(\TYPO3\Flow\Package\PackageInterface $package, $path)
 	{
-		$this->packageType = $packageType;
-		$this->packageKey = $packageKey;
-		$this->path = $path;
+		$this->package = $package;
+		$this->path = trim(str_replace(Util::getDocumentPath($package), '', $path), "/");
 		$this->name = basename($path);
 		$this->isDir = is_dir($path);
 		$this->absolutePath = realpath($path);
 
 		if(!$this->absolutePath) {
 			return null;
 		}
-		if(strpos($this->absolutePath, Util::getDocumentPath($packageType, $packageKey)) === false) {
+		if(strpos($this->absolutePath, Util::getDocumentPath($package)) === false) {
 			throw new FileNotInsideDocumentationException("You are not allowed to acces files outside the documentation folder");
 		}
 
@@ -110,14 +106,6 @@ public function getPath()
 		return $this->path;
 	}
 
-	/**
-	 * @param string $path
-	 */
-	public function setPath($path)
-	{
-		$this->path = $path;
-	}
-
 	/**
 	 * @return string
 	 */
@@ -182,36 +170,12 @@ public function setIsParseable($isParseable)
 		$this->isParseable = $isParseable;
 	}
 
-	/**
-	 * @return string
-	 */
-	public function getPackageType()
-	{
-		return $this->packageType;
-	}
-
-	/**
-	 * @param string $packageType
-	 */
-	public function setPackageType($packageType)
-	{
-		$this->packageType = $packageType;
-	}
-
 	/**
 	 * @return string
 	 */
 	public function getPackageKey()
 	{
-		return $this->packageKey;
-	}
-
-	/**
-	 * @param string $packageKey
-	 */
-	public function setPackageKey($packageKey)
-	{
-		$this->packageKey = $packageKey;
+		return $this->package->getPackageKey();
 	}
 
 }

Classes/TechDivision/DocViewer/File/Parser.php

@@ -70,9 +70,17 @@ public static function urlDecodeFilePath($path) {
 	 */
 	public static function buildResourceUrl($node, $path = null, $baseUri = '') {
 		if(!$path) {
+			// if no path given the node is the resource url itself
 			$path = $node->getPath();
+		} else {
+			// build paths for relative resources
+			$sourcePathElements = explode("/", $node->getPath());
+			array_pop($sourcePathElements);
+			array_push($sourcePathElements, $path);
+			$path = join("/", $sourcePathElements);
 		}
-		return $baseUri . 'techdivision-docviewer/' . $node->getPackageType() . "/" . $node->getPackageKey() . "/" . self::urlEncodeFilePath($path);
+
+		return $baseUri . 'techdivision-docviewer/' . $node->getPackageKey() . "/" . self::urlEncodeFilePath($path);
 	}
 
 	/**
@@ -107,7 +115,7 @@ function ($matches) use ($node) {
 				$href = $matches[1];
 				if(strpos($href, 'http') !== 0) {
 					$href = trim($href, "./");
-					$href = 'show?moduleArguments%5BpackageKey%5D=' . $node->getPackageKey() . '&moduleArguments%5BpackageType%5D=' . $node->getPackageType() . '&moduleArguments%5BfilePath%5D=' . $href;
+					$href = 'show?moduleArguments%5Bpackage%5D=' . $node->getPackageKey() . '&moduleArguments%5BfilePath%5D=' . $href;
 				}
 				return 'href="' . $href . '"';
 			},

Classes/TechDivision/DocViewer/File/Tree.php

@@ -27,10 +27,15 @@ class Tree {
 	 */
 	protected $parser;
 
-	public function __construct($packageType, $packageKey, $baseUri)
+	/**
+	 * Tree constructor.
+	 * @param \TYPO3\Flow\Package\PackageInterface $package
+	 * @param $baseUri
+	 */
+	public function __construct(\TYPO3\Flow\Package\PackageInterface $package, $baseUri)
 	{
 		$this->parser = new Parser($baseUri);
-		$this->rootNode = $this->buildFsNode($packageType, $packageKey);
+		$this->rootNode = $this->buildFsNode($package);
 	}
 
 	/**
@@ -95,23 +100,21 @@ public function isDirectoryWithContent() {
 
 	/**
 	 * Builds up given folder path as composite
-	 * @param string $packageType
-	 * @param string $packageKey
+	 * @param \TYPO3\Flow\Package\PackageInterface $package
 	 * @param string $path
 	 * @return null|Node
 	 */
-	protected function buildFsNode($packageType, $packageKey, $path = null) {
+	protected function buildFsNode(\TYPO3\Flow\Package\PackageInterface $package, $path = null) {
 
 		if(!$path) {
-			$path = Util::getDocumentPath($packageType, $packageKey);
+			$path = Util::getDocumentPath($package);
 		}
 
 		if(!file_exists($path)) {
 			return null;
 		}
 
-		$node = new Node($packageType, $packageKey, $path);
-		$node->setPath(trim(str_replace(Util::getDocumentPath($packageType, $packageKey), '', $path), "/"));
+		$node = new Node($package, $path);
 		if($node->isIsDir()) {
 
 			$content = array();
@@ -121,7 +124,7 @@ protected function buildFsNode($packageType, $packageKey, $path = null) {
 				if($element == '.' || $element == '..') {
 					continue;
 				}
-				$content[] = $this->buildFsNode($packageType, $packageKey, $path . DIRECTORY_SEPARATOR . $element);
+				$content[] = $this->buildFsNode($package, $path . DIRECTORY_SEPARATOR . $element);
 			}
 			$node->setContent($content);
 		} else {

Classes/TechDivision/DocViewer/Util.php

@@ -9,15 +9,20 @@
 class Util {
 
 
+	/**
+	 * Directory of the documentation
+	 * @var string
+	 */
+	protected static $docDir = 'Documentation';
+
 	/**
 	 * Get the documentation path
 	 *
-	 * @param string $packageType
-	 * @param string $packageKey
+	 * @param \TYPO3\Flow\Package\PackageInterface $package
 	 * @return string
 	 */
-	public static function getDocumentPath($packageType, $packageKey) {
-		$path = FLOW_PATH_PACKAGES . $packageType . DIRECTORY_SEPARATOR . $packageKey . '/Documentation';
+	public static function getDocumentPath($package) {
+		$path = $package->getPackagePath() . self::$docDir;
 		if(!file_exists($path)) {
 			return null;
 		}

Classes/TechDivision/DocViewer/ViewHelpers/ResourceUrlViewHelper.php

@@ -7,18 +7,23 @@
 use TYPO3\Fluid\Core\ViewHelper\AbstractViewHelper;
 
 /**
- * Renders a resource url by given packageType, packageKey and filePath
+ * Renders a resource url by given packageKey and filePath
  */
 class ResourceUrlViewHelper extends AbstractViewHelper
 {
 	/**
-	 * @param $packageType
-	 * @param $packageKey
-	 * @param $filePath
+	 * @Flow\Inject
+	 * @var \TYPO3\Flow\Package\PackageManagerInterface
+	 */
+	protected $packageManager;
+
+	/**
+	 * @param string $package
+	 * @param string $filePath
 	 * @return string
 	 */
-    public function render($packageType, $packageKey, $filePath)
+    public function render($package, $filePath)
     {
-        return Parser::buildResourceUrl(new Node($packageType, $packageKey, $filePath), null, $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
+        return Parser::buildResourceUrl(new Node($this->packageManager->getPackage($package), $filePath), null, $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
     }
 }

Configuration/Routes.yaml

@@ -1,7 +1,7 @@
 
 -
   name:  'Fileprovider'
-  uriPattern: 'techdivision-docviewer/{packageType}/{packageKey}/{filePath}'
+  uriPattern: 'techdivision-docviewer/{package}/{filePath}'
   defaults:
     '@package':    'TechDivision.DocViewer'
     '@controller': 'Resource'