.. You may want to use the usual include line. Uncomment and adjust the path. .. include:: ../Includes.txt =========== wt\_doorman =========== :Author: Kasper Skårhøj :Created: 2002-11-01T00:32:00 :Changed: 2010-03-28T20:20:21 :Author: Alex Kellner :Email: Alexander.Kellner@einpraegsam.net :Info 3: :Info 4: .. _wt-doorman: wt\_doorman =========== Extension Key: **wt\_doorman** |img-1| Copyright 2005-2009, Alex Kellner, This document is published under the Open Content License available from http://www.opencontent.org/opl.shtml The content of this document is related to TYPO3 \- a GNU/GPL CMS/Framework available from www.typo3.com .. _Table-of-Contents: Table of Contents ----------------- **wt\_doorman 1** **wt\_doorman introduction 2** What does it do? 2 What is the process? 2 Who can use wt\_doorman? 2 **Screenshots 3** **How to use 4** Step by step: 4 **Using wt\_doorman to filter all params of TYPO3 5** **Integration examples in your extension 6** Don't do it in this way 1 6 Don't do it in this way 2 6 Using wt\_doorman to clean piVars 6 **Available variants for doorman array secParams 7** **Some more examples 8** **Configuration in extension manager 9** All available configurations in extension manager 9 Example for global filtering of piVars 9 Screenshot of “debug mode” 9 **FAQ 10** When should I use this class 10 Why should I use this class in my extension 10 **Todos 11** **Changelog 12** **Additional links 13** .. _wt-doorman-introduction: wt\_doorman introduction ------------------------ .. _What-does-it-do: What does it do? ^^^^^^^^^^^^^^^^ You can secure the whole TYPO3 installation with filtering of GET and POST params. Developers can include the class to filter values of there process .. _What-is-the-process: What is the process? ^^^^^^^^^^^^^^^^^^^^ Doorman is a small php class which provides an easy cleaning method of piVars against bad behaviour like XSS (Cross Site Scripting) and SQL injection, etc...). Just include the class.tx\_wtdoorman\_security.php and send your piVars to this class. You'll get a filtered variant of your piVars. You can set what a GET or POST param should contain (integer, alphanum, text or a defined value). See below for integration example. NOTE: wt\_doorman uses a newer removeXSS class as offered in the current TYPO3 4.2 .. _Who-can-use-wt-doorman: Who can use wt\_doorman? ^^^^^^^^^^^^^^^^^^^^^^^^ - Admins can secure the whole TYPO3 installation against bad code from GET or POST vars - Developers can secure there extension with filtering of piVars .. _Screenshots: Screenshots ----------- Normally, you wont see any output, because this extension only works and cleans piVars, but if you enable the debug mode: |img-2| **ATTENTION:** Debug mode is only for testing – it could cause XSS security problems! .. _How-to-use: How to use ---------- .. _Step-by-step: Step by step: ^^^^^^^^^^^^^ - Import wt\_doorman from TER - Set some values in the extension manager (see example below) which should be allowed for the whole TYPO3 installation OR Include this class to your extension (see example below) - Check with the debug output if all works as expected (don't forget to disable the debug output again!) - Send and receive your piVars array - That's all .. _Using-wt-doorman-to-filter-all-params-of-TYPO3: Using wt\_doorman to filter all params of TYPO3 ----------------------------------------------- See the settings in the Extension manager below to filter all params of your TYPO3! .. _Integration-examples-in-your-extension: Integration examples in your extension -------------------------------------- .. _Don-t-do-it-in-this-way-1: Don't do it in this way 1 ^^^^^^^^^^^^^^^^^^^^^^^^^ // This is the worst case for XSS // ... $content .= $this->piVars['uid']; return $this->pi\_wrapInBaseClass($content); .. _Don-t-do-it-in-this-way-2: Don't do it in this way 2 ^^^^^^^^^^^^^^^^^^^^^^^^^ // This is the worst case for SQL injection // ... $res = $GLOBALS['TYPO3\_DB']->exec\_SELECTquery ( '\*', 'tx\_yourtable', 'uid = '.$this->piVars['uid'], '', ''); .. _Using-wt-doorman-to-clean-piVars: Using wt\_doorman to clean piVars ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ if(t3lib\_extMgm::isLoaded('wt\_doorman', 0)) require\_once(t3lib\_ext Mgm::extPath('wt\_doorman').'class.tx\_wtdoorman\_security.php'); // load security class class tx\_yourextension\_pi1 extends tslib\_pibase { function main() { if (class\_exists('tx\_wtdoorman\_security')) { $this->sec = t3lib\_div::makeInstance('tx\_wtdoorman\_security'); // Create new instance for security class $this->sec->secParams = array ( // Allowed piVars type (int, text, alphanum, "value") 'uid' => 'int', // piVar show should be an integer 'pointer' => 'int', // piVar pointer should be an integer 'filter' => array ( 'name' => 'alphanum', // piVar filter\|name should be alphanum 'email' => 'text' // piVar filter\|email should be text ) ); $this->piVars = $this->sec->sec($this->piVars); // overwrite piVars with piVars from doorman class } else unset ($this->piVars); // clear piVars if doorman not available $content .= $this->piVars['uid']; // could be only an integer – no more XSS problem return $this->pi\_wrapInBaseClass($content); } } .. _Available-variants-for-doorman-array-secParams: Available variants for doorman array secParams ---------------------------------------------- .. ### BEGIN~OF~TABLE ### .. _Data-type: **Data type** ^^^^^^^^^^^^^ .. container:: table-row a **Data type** b **Description** c **Example** .. _int: int ^^^ .. container:: table-row a int b Changes values to integer c 'uid' => 'int', .. _addslashes: addslashes ^^^^^^^^^^ .. container:: table-row a addslashes b Disable quotes and single quotes with a backslash c 'name' => 'addslashes', .. _text: text ^^^^ .. container:: table-row a text b Uses addslashes and remove xss (could be used for echo and db entries) c 'name' => 'text', .. _alphanum: alphanum ^^^^^^^^ .. container:: table-row a alphanum b Delete all not allowed characters (only allowed: A-Z, 0-9 and space) c 'description' => 'alphanum', .. _alphanum-sign: alphanum ++ sign ^^^^^^^^^^^^^^^^ .. container:: table-row a alphanum ++ sign b Like alphanum but extended with own signs (alphanum++\/ for allowing slash) (note: some characters should be escaped with \) c 'description' => 'alphanum ++ \/', .. _value: “value” ^^^^^^^ .. container:: table-row a “value” b If this piVar is set, this piVar is one of the defined values c 'show' => '”single”,”none”', .. _htmlentities: htmlentities ^^^^^^^^^^^^ .. container:: table-row a htmlentities b Change special signs like ' or “ or < to ascii code c 'description' => 'htmlentities', .. _removeXSS: removeXSS ^^^^^^^^^ .. container:: table-row a removeXSS b Using removeXSS for any value c 'comment' => 'removeXSS' .. ###### END~OF~TABLE ###### .. _Some-more-examples: Some more examples ------------------ .. ### BEGIN~OF~TABLE ### .. _Example-piVar: **Example piVar** ^^^^^^^^^^^^^^^^^ .. container:: table-row a **Example piVar** b **Description** c **Example code** .. _tx-extension-pi1-uid-3: tx\_extension\_pi1[uid]=3 ^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[uid]=3 b This should always be an integer c $this->sec->secParams = array('uid' => 'int'); .. _tx-extension-pi1-name-Alex: tx\_extension\_pi1[name]=Alex ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[name]=Alex b This should be alphanum (no umlauts currently) c $this->sec->secParams = array('name' => 'alphanum'); .. _tx-extension-pi1-description-I-20love-20it: tx\_extension\_pi1[description]=I%20love%20it ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[description]=I%20love%20it b Maybe a mailform description field – should be text (but cleaned) c $this->sec->secParams = array('description' => 'text'); .. _tx-extension-pi1-show-detailview: tx\_extension\_pi1[show]=detailview ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[show]=detailview b If the piVar show is set, it has to be “detailview” c $this->sec->secParams = array('show' => '”detailview”'); .. _tx-extension-pi1-show-none: tx\_extension\_pi1[show]=none ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[show]=none b If the piVar show is set, this should only be “none” or “detailview” c $this->sec->secParams = array('show' => '”detailview”,”none”'); .. _tx-extension-pi1-filter-name-Alex: tx\_extension\_pi1[filter]['name']=Alex ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[filter]['name']=Alex b Clean second level with alphanum c $this->sec->secParams = array('filter' => array('name' => 'alphanum')); .. _tx-extension-pi1-field111-Alex: tx\_extension\_pi1[field111]=Alex ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[field111]=Alex tx\_extension\_pi1[field122]=Kellner tx\_extension\_pi1[field131]=blabla b All fields should filtered but, you don't want to set all the fields manually – use a wildcardNOTE: \* will overwrite all other settings of the same level c $this->sec->secParams = array('\*' => 'alphanum'); .. _tx-extension-pi1-filter-field111-Alex: tx\_extension\_pi1[filter][field111]=Alex ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. container:: table-row a tx\_extension\_pi1[filter][field111]=Alex tx\_extension\_pi1[filter][field122]=Kellner tx\_extension\_pi1[filter][field131]=blabla b All fields should filtered but, you don't want to set all the fields manually – use a wildcardNOTE: \* will overwrite all other settings of the same level c $this->sec->secParams = array('filter' = array ('\*' => 'alphanum')); .. ###### END~OF~TABLE ###### .. _Configuration-in-extension-manager: Configuration in extension manager ---------------------------------- .. _All-available-configurations-in-extension-manager: All available configurations in extension manager ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. ### BEGIN~OF~TABLE ### .. _Name: **Name** """""""" .. container:: table-row a **Name** b **Description** c **Default** d **Data type** .. _varsDefinition: varsDefinition """""""""""""" .. container:: table-row a varsDefinition b Global check - Vars definition: Define which variables should be checked (see manual for details and possibility - only for admins) c L=int, tx\_indexedsearch\|sword=alphanum d text .. _clearNotDefinedVars: clearNotDefinedVars """"""""""""""""""" .. container:: table-row a clearNotDefinedVars b Global check - clear Vars: Clear all not defined variables in TYPO3 (could cause problems - only for admins) c 0 d boolean .. _pidInRootline: pidInRootline """"""""""""" .. container:: table-row a pidInRootline b Global check - pidInRootline: Define a PID in which the global check should work (0 let the global check works overall, -1 disables global check) c -1 d text .. _debug: debug """"" .. container:: table-row a debug b If you want to have a debug output in the security class: If piVars where set, before and after view is visible. **ATTENTION:** This is only for testing and could cause XSS security problems if activated c 0 d boolean .. ###### END~OF~TABLE ###### .. _Example-for-global-filtering-of-piVars: Example for global filtering of piVars ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The first three lines of rows of the extension manager possibilities can be used to save the whole TYPO3 installation. .. _Example: Example """"""" If you want that the value &tx\_ttnews[tt\_news] should be an integer than you can use this settings (e.g.): varsDefinition L=int,tx\_ttnews\|tt\_news=int clearNotDefinedVars 1 pidInRootline = 0 .. _Explanation: Explanation """"""""""" the GET param L should be an integer, the tt\_news uid should be an integer All other Vars should be deleted (ATTENTION: If you forgot a param, maybe some forms or extension will not work any more) Set in which pid should this work (0 for all pages) .. _Screenshot-of-debug-mode: Screenshot of “debug mode” ^^^^^^^^^^^^^^^^^^^^^^^^^^ |img-2| .. _FAQ: FAQ --- .. _When-should-I-use-this-class: When should I use this class ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - If you are an admin and want to stop bad input from outside - If you are a developer and want to have cleaned piVars .. _Why-should-I-use-this-class-in-my-extension: Why should I use this class in my extension ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - I will extend this class as often as possible - You can save some code - You could be sure against bad behaviour (from piVar hacks) - wt\_doorman uses a newer removeXSS class as offered in TYPO3 4.2 .. _Todos: Todos ----- - Maybe extend this class for piVars in third level - Add umlauts to alphanum - Did I forgot something important? Do you need a new feature? Maybe we can help you, so just write us! .. _Changelog: Changelog --------- .. _generated: ((generated)) ^^^^^^^^^^^^^ .. _wt-doorman-version-1-3-x-stable: wt\_doorman version 1.3.x stable """""""""""""""""""""""""""""""" .. _Update-on-28-03-2010-version-1-3-0: Update on 28.03.2010 version 1.3.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Text uses addslashes and removeXSS now (could be used for both: echo and db entries) - Use own removeXSS method on older T3 installations - New method added: addslashes() .. _wt-doorman-version-1-2-x-stable: wt\_doorman version 1.2.x stable """""""""""""""""""""""""""""""" .. _Update-on-01-01-2010-version-1-2-0: Update on 01.01.2010 version 1.2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Using removeXSS for text method - Adding new method: removeXSS .. _wt-doorman-version-1-1-x-stable: wt\_doorman version 1.1.x stable """""""""""""""""""""""""""""""" .. _Update-on-13-04-2009-version-1-1-2: Update on 13.04.2009 version 1.1.2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ using wildcard in first level possible .. _Update-on-09-03-2009-version-1-1-1: Update on 09.03.2009 version 1.1.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugfix if you want to disable removeXSS function .. _Update-on-24-02-2009-version-1-1-0: Update on 24.02.2009 version 1.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - wt\_doorman can be used to save the whole TYPO3 installation now! - New method added: “htmlentities” .. _wt-doorman-version-1-0-x-stable: wt\_doorman version 1.0.x stable """""""""""""""""""""""""""""""" .. _Update-on-08-11-2008-version-1-0-0: Update on 08.11.2008 version 1.0.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Improvement of “special value method” (define more than only one value) .. _wt-doorman-version-0-2-x-beta: wt\_doorman version 0.2.x beta """""""""""""""""""""""""""""" .. _Update-on-03-11-2008-version-0-2-2: Update on 03.11.2008 version 0.2.2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Improvement for removeXSS class .. _Update-on-19-10-2008-version-0-2-1: Update on 19.10.2008 version 0.2.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New feature: alphanum could be extended with own signs .. _Update-on-22-09-2008-version-0-2-0: Update on 22.09.2008 version 0.2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - New feature: Wildcard \* added, if all piVars (no matter what name) should be changed - New feature: Debug mode, to see before and after view of your piVars .. _wt-doorman-version-0-1-x-beta: wt\_doorman version 0.1.x beta """""""""""""""""""""""""""""" .. _Initial-Release-to-TER-on-22-09-2008-version-0-1-0: Initial Release to TER on 22.09.2008 version 0.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ wt\_doorman available in TER .. _Additional-links: Additional links ---------------- **You can use one of the following links, to get more informations about this plugin:** - Authors (Alex Kellner) homepage: `http://www.einpraegsam.net `_ - Tuning parts for your car: `http://www.wunschtacho.de `_ - Stuff for snowboarder and skier: `http://www.justpowder.de `_ Do you need help with this plugin: `http://www.typo3.net `_ |img-3| wt\_doorman - 13 .. ######CUTTER_MARK_IMAGES###### .. |img-1| image:: img-1.png .. :align: left .. :border: 0 .. :height: 16 .. :id: Grafik3 .. :name: Grafik3 .. :width: 18 .. |img-2| image:: img-2.jpeg .. :align: left .. :border: 0 .. :height: 141 .. :id: Grafik2 .. :name: Grafik2 .. :width: 669 .. |img-3| image:: img-3.png .. :align: left .. :border: 0 .. :height: 32 .. :id: Graphic1 .. :name: Graphic1 .. :width: 102