search

lochmueller / calendarize

📆 Best TYPO3 Calendar ever 📆
http://typo3.org/extensions/repository/view/calendarize
75 stars 84 forks source link

Using ICS download with routeEnhancer - hmac-validation not executed #710

Closed albig closed 1 year ago

albig commented 1 year ago

I would like to make more speaking URLs for ICS/ICal downloads. With the following RouteEnhancer the URL looks like

https://example.com/ics/123456789.ics?cHash=987654321

hmac = 123456789 cHash = 987654321

routeEnhancers:
  Calendarize:
    type: Extbase
    extension: Calendarize
    plugin: Calendar
    routes:
     - routePath: '/ics/{hmac}.{format}'
       _controller: 'Calendar::list'
    defaultController: 'Calendar::list'
    aspects:
      format:
        type: StaticValueMapper
        map:
          'ics': 'ics'

With an simple aspect mapper like explained here: https://stackoverflow.com/questions/53053093/how-do-i-write-a-routing-aspect-mapper-for-typo3-9-lts

I get URLs without cHash.

https://example.com/ics/123456789.ics

Now the funny part. The hmac is not validated at all. I could write just https://example.com/ics/somestring.ics

Am I wrong or is just the line https://github.com/lochmueller/calendarize/blob/master/Classes/Controller/AbstractCompatibilityController.php#L96 wrong? sendHeaderAndFilename() sends already the ICS-calendar and ends the HTTP requests. The following hmac-validation is never executed.

If this is a bug, I'll provide a PR of course. I'm just not sure ;-)

lochmueller commented 1 year ago

Hmm.... yes the function quit the regular request/response flow. If there is a good other solution, we could switch this logic. I suggest: Do not add the hmac to the page path segments. There should be a smarter solution...

Regards, Tim

lochmueller commented 1 year ago

Fixed by @albig PR: https://github.com/lochmueller/calendarize/pull/716