Security fix

Classes/Domain/Repository/QuizRepository.php

@@ -40,5 +40,15 @@ public function findFromPid($pageId)
     	$query->matching($query->equals('pid', $pageId));
     	return $query->execute();
     }
-
+
+    /**
+     * Get the PIDs
+     *
+     * @return array
+     */
+    public function getStoragePids()
+    {
+        $query = $this->createQuery();
+        return $query->getQuerySettings()->getStoragePageIds();
+    }
 }

Configuration/TypoScript/setup.ts

@@ -15,8 +15,6 @@ plugin.tx_fpmasterquiz {
         skipDefaultArguments = 1
         # if set to 1, the enable fields are ignored in BE context
         ignoreAllEnableFieldsInBe = 0
-        # Should be on by default, but can be disabled if all action in the plugin are uncached
-        requireCHashArgumentForActionArguments = 0
     }
     mvc {
         callDefaultActionIfActionCantBeResolved = 1
@@ -27,7 +25,7 @@ plugin.tx_fpmasterquiz {
 		closurePageUid =
 		resultPageUid =
 		highscorePageUid =
-		defaultQuizUid = 1
+		defaultQuizUid =
 		introContentUid =
 		introNextAction = show
 		showAnswerPage = 1

Documentation/Administrator/Index.rst

@@ -126,6 +126,32 @@ Exporting participant entries
 * There is a scheduler task which whom you can export participants from a single folder (pid). The csv-file will be written to fileadmin.
 
 
+.. _security-fix:
+
+Security fix in version 3.5.2
+-----------------------------
+
+Since version 3.5.2 a session-key is always required and this session-key will be checked against a participant.
+If you use the Ajax-version AND if you use an own HTML-template, then you must add some code to your templates!
+In the Show.html template you need to add this line to the hidden-fields of the first form::
+
+  <f:form.hidden name="session" value="" id="quiz-form-session" />
+
+In the ShowAjax.html template you need to add 2 lines.
+This one after "$('#quiz-form'+ceuid+' #quiz-form-parti').val('{participant.uid}');"::
+
+  $('#quiz-form'+ceuid+' #quiz-form-session').val('{session}');
+
+and this one after "$('#quiz-form-parti').val('0');"::
+
+  $('#quiz-form-session').val('');
+
+That will set a session-key for every participant.
+
+Another change was made in the settings. The default quiz-UID 1 was removed. If you use that default setting,
+you must set settings.defaultQuizUid again to 1.
+
+
 .. _admin-faq:
 
 FAQ

Documentation/ChangeLog/Index.rst

@@ -104,7 +104,7 @@ ChangeLog
   TCA-Bugfix for TYPO3 10.
   Refactoring.
 
-3.0.2:
+3.0.0/2:
   Version for TYPO3 10 and 11.
   closure action and setting closurePageUid added.
   Default-value for setting ajaxType changed from POST to GET.
@@ -127,7 +127,7 @@ ChangeLog
   Div with class card-body added to all cards.
   Variable participant.username added.
 
-3.3.1:
+3.3.0/1:
   Backend-Layout adapted for TYPO3 11.5.
   Evaluation of the most used category is now possible too. Setting showDetailedCategoryEvaluation added.
   TYPO3 categories are now available at a quiz, question, answer, selected and evaluation.
@@ -148,6 +148,10 @@ ChangeLog
   Bugfix: category evaluation.
   Bugfix: wrong Namespace in TemplateLayout corrected.
 
-3.5.0:
+3.5.0/1:
   Mandatory check with PHP too, if setting phpFormCheck=1.
-  New question mode: matrix with categories of a question.
+  New question mode: matrix with categories of a question.
+
+3.5.2:
+  Security fix: checking participant against a session-key. Please read the section Administrator / Security fix in version 3.5.2.
+  Security fix: check if a quiz/poll is allowed on a page. Therefore, the defaultQuizUid was removed in the settings!

Documentation/Configuration/Index.rst

@@ -39,7 +39,7 @@ showPageUid                  integer     UID of the single-page of a quiz (detai
 closurePageUid               integer     UID of a closure-page of a quiz.                -
 resultPageUid                integer     UID of the page where to show quiz results.     -
 highscorePageUid             integer     UID of the page where to show a highscore.      -
-defaultQuizUid               integer     UID of the quiz to show.                        1
+defaultQuizUid               integer     UID of the quiz to show.                        -
 introContentUid              integer     Content element for the intro page.             -
 introNextAction              string      Action after the intro page: show or showByTag. show
 showAnswerPage               boolean     Show an answer page after every submit?         1

Documentation/KnownProblems/Index.rst

@@ -14,10 +14,8 @@ Known Problems
 The bug tracker is here:
 `bug tracker <https://github.com/bihor/fp_masterquiz/issues>`_?
 
-jQuery needed to be loaded in the head.
-
 There might be some problems, if you enable Ajax!
-Sessions and Cookies are currently not supported if you enable Ajax.
+User-data and cookies are currently not supported if you enable Ajax.
 
 Note for versions < 3: it might be necessary to change the Quiz/Show.html template, if you will see the startpage
 instead of a question as a ajax result page. You could try to change the type from POST to GET in the $.ajax call.

README.md

@@ -1,6 +1,6 @@
 # fp_masterquiz
 
-version 3.5.1
+version 3.5.2
 
 TYPO3 extension to create a quiz, poll or test. The participant result will be saved in the DB too and can be deleted automatically via Scheduler.
 
@@ -34,6 +34,10 @@ Changes in version 3.4.4:
 - Bugfix: category evaluation.
 - Bugfix: wrong Namespace in TemplateLayout corrected.
 
-Changes in version 3.5.0:
+Changes in version 3.5.1:
 - Mandatory check with PHP too, if setting phpFormCheck=1.
 - New question mode: matrix with categories of a question.
+
+Changes in version 3.5.2:
+- Security fix: checking participant against a session-key. Please read the section Administrator / Security fix in version 3.5.2.
+- Bugfix: check if a quiz/poll is allowed on a page. Therefore, the defaultQuizUid was removed in the settings!

Resources/Private/Language/de.locallang.xlf

@@ -351,6 +351,10 @@
 				<source>The quiz with this uid was not found (Record Storage Place set?):</source>
 				<target>Das Quiz mit dieser Uid wurde nicht gefunden (Datensatzsammlung gesetzt?):</target>
 			</trans-unit>
+			<trans-unit id="error.quizNotAllowed" resname="error.quizNotAllowed">
+				<source>The quiz was not allowed, because another default quiz is set in the Backend:</source>
+				<target>Das Quiz ist nicht erlaubt, da ein anderes Quiz im Backend ausgewählt wurde:</target>
+			</trans-unit>
 			<trans-unit id="error.quizDetailNotFound" resname="error.quizDetailNotFound">
 				<source>No quiz and no detail page was not found!</source>
 				<target>Es wurde kein Quiz und keine Startseite gesetzt! (Datensatzsammlung gesetzt?)</target>
@@ -359,6 +363,10 @@
 				<source>Error: mandatory questions not answered!</source>
 				<target>Fehler: bitte die markierten Fragen beantworten!</target>
 			</trans-unit>
+			<trans-unit id="error.invalidParameters" resname="error.invalidParameters">
+				<source>Error: the parameters could not be validated!</source>
+				<target>Fehler: die Parameter konnten nicht validiert werden!</target>
+			</trans-unit>
 			<trans-unit id="text.answer.input" resname="text.answer.input">
 				<source>Answer:</source>
 				<target>Antwort:</target>

Resources/Private/Language/locallang.xlf

@@ -264,12 +264,18 @@
 			<trans-unit id="error.quizNotFound" resname="error.quizNotFound">
 				<source>The quiz with this uid was not found (Record Storage Place set?):</source>
 			</trans-unit>
+			<trans-unit id="error.quizNotAllowed" resname="error.quizNotAllowed">
+				<source>The quiz was not allowed, because another default quiz is set in the Backend:</source>
+			</trans-unit>
 			<trans-unit id="error.quizDetailNotFound" resname="error.quizDetailNotFound">
 				<source>No quiz and no detail page was not found!</source>
 			</trans-unit>
 			<trans-unit id="error.notAnswered" resname="error.notAnswered">
 				<source>Error: mandatory questions not answered!</source>
 			</trans-unit>
+			<trans-unit id="error.invalidParameters" resname="error.invalidParameters">
+				<source>Error: the parameters could not be validated!</source>
+			</trans-unit>
 			<trans-unit id="text.answer.input" resname="text.answer.input">
 				<source>Answer:</source>
 			</trans-unit>

Resources/Private/Templates/Quiz/Show.html

@@ -74,6 +74,7 @@
 				<f:form.hidden name="action" value="showAjax" />
 				<f:form.hidden name="quiz" value="{quiz.uid}" />
 				<f:form.hidden name="uidOfCE" value="{uidOfCE}" />
+				<f:form.hidden name="session" value="" id="quiz-form-session" />
 				<f:form.hidden name="startTime" value="{startTime}" id="quiz-form-time" />
 				<f:form.hidden name="participant" value="0" id="quiz-form-parti" />
 				<f:form.hidden name="currentPage" value="1" id="quiz-form-page" />

Resources/Private/Templates/Quiz/ShowAjax.html

@@ -48,6 +48,7 @@
 			<script>
 			quizfinal = 0;
 			thisPage = {page};
+			$('#quiz-form'+ceuid+' #quiz-form-session').val('{session}');
 			$('#quiz-form'+ceuid+' #quiz-form-parti').val('{participant.uid}');
 			$('#quiz-form'+ceuid+' #quiz-form-page').val('{nextPage}');
 			$('#quiz-form'+ceuid+' #quiz-form-answers').val('{showAnswersNext}');
@@ -79,6 +80,7 @@
 					$('#quiz-form-parti').val('0');
 					$('#quiz-form-page').val('1');
 					$('#quiz-form-answers').val('0');
+					$('#quiz-form-session').val('');
 					quizfinal = 0;
 					$('#quiz-GoOn').val(text_goon);
 					$('#quiz-button-wrap').show();

ext_emconf.php

@@ -18,7 +18,7 @@
     'state' => 'stable',
     'createDirs' => '',
     'clearCacheOnLoad' => 0,
-    'version' => '3.5.1',
+    'version' => '3.5.2',
     'constraints' => [
         'depends' => [
             'typo3' => '10.4.6-11.5.99',