DEPRECATION WARNING

This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.

wt_doorman¶

Author:	Kasper Skårhøj
Created:	2002-11-01T00:32:00
Changed:	2010-03-28T20:20:21
Author:	Alex Kellner
Email:	Alexander.Kellner@einpraegsam.net
Info 3:
Info 4:

wt_doorman¶

Extension Key: wt_doorman

Alex Kellner,

<Alexander.Kellner@einpraegsam.net>

This document is published under the Open Content License

available from http://www.opencontent.org/opl.shtml

The content of this document is related to TYPO3

- a GNU/GPL CMS/Framework available from www.typo3.com

Table of Contents¶

wt_doorman 1

wt_doorman introduction 2

What does it do? 2

What is the process? 2

Who can use wt_doorman? 2

Screenshots 3

How to use 4

Step by step: 4

Using wt_doorman to filter all params of TYPO3 5

Integration examples in your extension 6

Don't do it in this way 1 6

Don't do it in this way 2 6

Using wt_doorman to clean piVars 6

Available variants for doorman array secParams 7

Some more examples 8

Configuration in extension manager 9

All available configurations in extension manager 9

Example for global filtering of piVars 9

Screenshot of “debug mode” 9

FAQ 10

When should I use this class 10

Why should I use this class in my extension 10

Todos 11

Changelog 12

Additional links 13

wt_doorman introduction¶

What does it do?¶

You can secure the whole TYPO3 installation with filtering of GET and POST params.

Developers can include the class to filter values of there process

What is the process?¶

Doorman is a small php class which provides an easy cleaning method of piVars against bad behaviour like XSS (Cross Site Scripting) and SQL injection, etc...).

Just include the class.tx_wtdoorman_security.php and send your piVars to this class. You'll get a filtered variant of your piVars.

You can set what a GET or POST param should contain (integer, alphanum, text or a defined value).

See below for integration example.

NOTE: wt_doorman uses a newer removeXSS class as offered in the current TYPO3 4.2

Who can use wt_doorman?¶

Admins can secure the whole TYPO3 installation against bad code from GET or POST vars
Developers can secure there extension with filtering of piVars

Screenshots¶

Normally, you wont see any output, because this extension only works and cleans piVars, but if you enable the debug mode:

ATTENTION: Debug mode is only for testing – it could cause XSS security problems!

How to use¶

Step by step:¶

Import wt_doorman from TER
Set some values in the extension manager (see example below) which should be allowed for the whole TYPO3 installation OR Include this class to your extension (see example below)
Check with the debug output if all works as expected (don't forget to disable the debug output again!)
Send and receive your piVars array
That's all

Using wt_doorman to filter all params of TYPO3¶

See the settings in the Extension manager below to filter all params of your TYPO3!

Integration examples in your extension¶

Don't do it in this way 1¶

// This is the worst case for XSS

// ...

$content .= $this->piVars['uid'];

return $this->pi_wrapInBaseClass($content);

Don't do it in this way 2¶

// This is the worst case for SQL injection

// ...

$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery (

'*',

'tx_yourtable',

'uid = '.$this->piVars['uid'],

'',

'');

Using wt_doorman to clean piVars¶

if(t3lib_extMgm::isLoaded('wt_doorman', 0)) require_once(t3lib_ext Mgm::extPath('wt_doorman').'class.tx_wtdoorman_security.php'); // load security class

class tx_yourextension_pi1 extends tslib_pibase {

function main() {

if (class_exists('tx_wtdoorman_security')) {

$this->sec = t3lib_div::makeInstance('tx_wtdoorman_security'); // Create new instance for security class

$this->sec->secParams = array ( // Allowed piVars type (int, text, alphanum, "value")

'uid' => 'int', // piVar show should be an integer

'pointer' => 'int', // piVar pointer should be an integer

'filter' => array (

'name' => 'alphanum', // piVar filter|name should be alphanum

'email' => 'text' // piVar filter|email should be text

)

);

$this->piVars = $this->sec->sec($this->piVars); // overwrite piVars with piVars from doorman class

} else unset ($this->piVars); // clear piVars if doorman not available

$content .= $this->piVars['uid']; // could be only an integer – no more XSS problem

return $this->pi_wrapInBaseClass($content);

}

Available variants for doorman array secParams¶

Data type¶

a

Data type

b

Description

c

Example

int¶

a

int

b

Changes values to integer

c

'uid' => 'int',

addslashes¶

a

addslashes

b

Disable quotes and single quotes with a backslash

c

'name' => 'addslashes',

text¶

a

text

b

Uses addslashes and remove xss (could be used for echo and db entries)

c

'name' => 'text',

alphanum¶

a

alphanum

b

Delete all not allowed characters (only allowed: A-Z, 0-9 and space)

c

'description' => 'alphanum',

alphanum ++ sign¶

a

alphanum ++ sign

b

Like alphanum but extended with own signs (alphanum++/ for allowing slash) (note: some characters should be escaped with )

c

'description' => 'alphanum ++ /',

“value”¶

a

“value”

b

If this piVar is set, this piVar is one of the defined values

c

'show' => '”single”,”none”',

htmlentities¶

a

htmlentities

b

Change special signs like ' or “ or < to ascii code

c

'description' => 'htmlentities',

removeXSS¶

a

removeXSS

b

Using removeXSS for any value

c

'comment' => 'removeXSS'

Some more examples¶

Example piVar¶

a

Example piVar

b

Description

c

Example code

tx_extension_pi1[uid]=3¶

a

tx_extension_pi1[uid]=3

b

This should always be an integer

c

$this->sec->secParams = array('uid' => 'int');

tx_extension_pi1[name]=Alex¶

a

tx_extension_pi1[name]=Alex

b

This should be alphanum (no umlauts currently)

c

$this->sec->secParams = array('name' => 'alphanum');

tx_extension_pi1[description]=I%20love%20it¶

a

tx_extension_pi1[description]=I%20love%20it

b

Maybe a mailform description field – should be text (but cleaned)

c

$this->sec->secParams = array('description' => 'text');

tx_extension_pi1[show]=detailview¶

a

tx_extension_pi1[show]=detailview

b

If the piVar show is set, it has to be “detailview”

c

$this->sec->secParams = array('show' => '”detailview”');

tx_extension_pi1[show]=none¶

a

tx_extension_pi1[show]=none

b

If the piVar show is set, this should only be “none” or “detailview”

c

$this->sec->secParams = array('show' => '”detailview”,”none”');

tx_extension_pi1[filter]['name']=Alex¶

a

tx_extension_pi1[filter]['name']=Alex

b

Clean second level with alphanum

c

$this->sec->secParams = array('filter' => array('name' => 'alphanum'));

tx_extension_pi1[field111]=Alex¶

a

tx_extension_pi1[field111]=Alex

tx_extension_pi1[field122]=Kellner

tx_extension_pi1[field131]=blabla

b

All fields should filtered but, you don't want to set all the fields manually – use a wildcardNOTE: * will overwrite all other settings of the same level

c

$this->sec->secParams = array('*' => 'alphanum');

tx_extension_pi1[filter][field111]=Alex¶

a

tx_extension_pi1[filter][field111]=Alex

tx_extension_pi1[filter][field122]=Kellner

tx_extension_pi1[filter][field131]=blabla

b

All fields should filtered but, you don't want to set all the fields manually – use a wildcardNOTE: * will overwrite all other settings of the same level

c

$this->sec->secParams = array('filter' = array ('*' => 'alphanum'));

Configuration in extension manager¶

All available configurations in extension manager¶

Name¶

a

Name

b

Description

c

Default

d

Data type

varsDefinition¶

a

varsDefinition

b

Global check - Vars definition: Define which variables should be checked (see manual for details and possibility - only for admins)

c

L=int, tx_indexedsearch|sword=alphanum

d

text

clearNotDefinedVars¶

a

clearNotDefinedVars

b

Global check - clear Vars: Clear all not defined variables in TYPO3 (could cause problems - only for admins)

c

0

d

boolean

pidInRootline¶

a

pidInRootline

b

Global check - pidInRootline: Define a PID in which the global check should work (0 let the global check works overall, -1 disables global check)

c

-1

d

text

debug¶

a

debug

b

If you want to have a debug output in the security class: If piVars where set, before and after view is visible.

ATTENTION: This is only for testing and could cause XSS security problems if activated

c

0

d

boolean

Example for global filtering of piVars¶

The first three lines of rows of the extension manager possibilities can be used to save the whole TYPO3 installation.

Example¶

If you want that the value &tx_ttnews[tt_news] should be an integer than you can use this settings (e.g.):

varsDefinition L=int,tx_ttnews|tt_news=int

clearNotDefinedVars 1

pidInRootline = 0

Explanation¶

the GET param L should be an integer, the tt_news uid should be an integer

All other Vars should be deleted (ATTENTION: If you forgot a param, maybe some forms or extension will not work any more)

Set in which pid should this work (0 for all pages)

Screenshot of “debug mode”¶

FAQ¶

When should I use this class¶

If you are an admin and want to stop bad input from outside
If you are a developer and want to have cleaned piVars

Why should I use this class in my extension¶

I will extend this class as often as possible
You can save some code
You could be sure against bad behaviour (from piVar hacks)
wt_doorman uses a newer removeXSS class as offered in TYPO3 4.2

Todos¶

Maybe extend this class for piVars in third level
Add umlauts to alphanum
Did I forgot something important?

Do you need a new feature? Maybe we can help you, so just write us!

Changelog¶

((generated))¶

wt_doorman version 1.3.x stable¶

Update on 28.03.2010 version 1.3.0¶

Text uses addslashes and removeXSS now (could be used for both: echo and db entries)
Use own removeXSS method on older T3 installations
New method added: addslashes()

wt_doorman version 1.2.x stable¶

Update on 01.01.2010 version 1.2.0¶

Using removeXSS for text method
Adding new method: removeXSS

wt_doorman version 1.1.x stable¶

Update on 13.04.2009 version 1.1.2¶

using wildcard in first level possible

Update on 09.03.2009 version 1.1.1¶

bugfix if you want to disable removeXSS function

Update on 24.02.2009 version 1.1.0¶

wt_doorman can be used to save the whole TYPO3 installation now!
New method added: “htmlentities”

wt_doorman version 1.0.x stable¶

Update on 08.11.2008 version 1.0.0¶

Improvement of “special value method” (define more than only one value)

wt_doorman version 0.2.x beta¶

Update on 03.11.2008 version 0.2.2¶

Improvement for removeXSS class

Update on 19.10.2008 version 0.2.1¶

New feature: alphanum could be extended with own signs

Update on 22.09.2008 version 0.2.0¶

New feature: Wildcard * added, if all piVars (no matter what name) should be changed
New feature: Debug mode, to see before and after view of your piVars

wt_doorman version 0.1.x beta¶

Initial Release to TER on 22.09.2008 version 0.1.0¶

wt_doorman available in TER

Additional links¶

You can use one of the following links, to get more informations about this plugin:

Authors (Alex Kellner) homepage: http://www.einpraegsam.net
Tuning parts for your car: http://www.wunschtacho.de
Stuff for snowboarder and skier: http://www.justpowder.de

Do you need help with this plugin: http://www.typo3.net

wt_doorman - 13