From 6d62be8f3924e9143267cf61e227864751b52f5e Mon Sep 17 00:00:00 2001
From: Bastian Waidelich <b.waidelich@wwwision.de>
Date: Thu, 5 Aug 2021 12:25:02 +0200
Subject: [PATCH 1/2] BUGFIX: Allow arbitrary objects in the FormState

This fixes a regression introduced with #101 that prevented
objects like images and documents to be persisted in the
Form State, leading to exceptions in multi step forms.

Fixes: #143
Related: #126 #135
---
 Classes/Core/Runtime/FormRuntime.php          |  3 +-
 .../TwoPageFormWithUploadFactory.php          | 33 +++++++++++++++++++
 Tests/Functional/Fixtures/dummy.txt           |  1 +
 Tests/Functional/SimpleFormTest.php           | 23 +++++++++++++
 4 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 Tests/Functional/Fixtures/FormFactories/TwoPageFormWithUploadFactory.php
 create mode 100644 Tests/Functional/Fixtures/dummy.txt

diff --git a/Classes/Core/Runtime/FormRuntime.php b/Classes/Core/Runtime/FormRuntime.php
index 4aa5377..209d3a8 100644
--- a/Classes/Core/Runtime/FormRuntime.php
+++ b/Classes/Core/Runtime/FormRuntime.php
@@ -181,7 +181,8 @@ protected function initializeFormStateFromRequest()
             $this->formState = new FormState();
         } else {
             $serializedFormState = $this->hashService->validateAndStripHmac($serializedFormStateWithHmac);
-            $this->formState = unserialize(base64_decode($serializedFormState), ['allowed_classes' => [FormState::class, \DateTime::class, \DateTimeImmutable::class]]);
+            /** @noinspection UnserializeExploitsInspection The unserialize call is safe because of the HMAC check above */
+            $this->formState = unserialize(base64_decode($serializedFormState));
         }
     }
 
diff --git a/Tests/Functional/Fixtures/FormFactories/TwoPageFormWithUploadFactory.php b/Tests/Functional/Fixtures/FormFactories/TwoPageFormWithUploadFactory.php
new file mode 100644
index 0000000..95472c6
--- /dev/null
+++ b/Tests/Functional/Fixtures/FormFactories/TwoPageFormWithUploadFactory.php
@@ -0,0 +1,33 @@
+<?php
+namespace Neos\Form\Tests\Functional\Fixtures\FormFactories;
+
+/*
+ * This file is part of the Neos.Form package.
+ *
+ * (c) Contributors of the Neos Project - www.neos.io
+ *
+ * This package is Open Source Software. For the full copyright and license
+ * information, please view the LICENSE file which was distributed with this
+ * source code.
+ */
+
+use Neos\Form\Core\Model\FormDefinition;
+use Neos\Form\Factory\AbstractFormFactory;
+
+class TwoPageFormWithUploadFactory extends AbstractFormFactory
+{
+    public function build(array $configuration, $presetName)
+    {
+        $formDefinition = new FormDefinition('two-page-form-with-upload', $this->getPresetConfiguration($presetName));
+
+        $page1 = $formDefinition->createPage('page1');
+        $page2 = $formDefinition->createPage('page2');
+
+        $fileUpload = $page1->createElement('file', 'Neos.Form:FileUpload');
+        $fileUpload->setProperty('allowedExtensions', ['txt']);
+        $page1->createElement('date', 'Neos.Form:DatePicker');
+        $page2->createElement('text2-1', 'Neos.Form:SingleLineText');
+
+        return $formDefinition;
+    }
+}
diff --git a/Tests/Functional/Fixtures/dummy.txt b/Tests/Functional/Fixtures/dummy.txt
new file mode 100644
index 0000000..05facee
--- /dev/null
+++ b/Tests/Functional/Fixtures/dummy.txt
@@ -0,0 +1 @@
+This is just a dummy file
diff --git a/Tests/Functional/SimpleFormTest.php b/Tests/Functional/SimpleFormTest.php
index 82766c3..9750098 100644
--- a/Tests/Functional/SimpleFormTest.php
+++ b/Tests/Functional/SimpleFormTest.php
@@ -21,6 +21,8 @@
  */
 class SimpleFormTest extends AbstractFunctionalTestCase
 {
+    protected static $testablePersistenceEnabled = true;
+
     /**
      * @test
      */
@@ -106,6 +108,27 @@ public function validationIsNotSkippedForGetRequests()
         Assert::assertSame(' error', $this->browser->getCrawler()->filterXPath('//*[contains(@class,"error")]//input[@id="three-page-form-with-validation-text2-1"]')->attr('class'));
     }
 
+    /**
+     * @test
+     * @see https://github.com/neos/form/issues/126
+     * @see https://github.com/neos/form/issues/135
+     * @see https://github.com/neos/form/issues/143
+     */
+    public function formStateCanContainArbitraryObjects()
+    {
+        $this->browser->request('http://localhost/test/form/simpleform/TwoPageFormWithUpload');
+
+        $form = $this->browser->getForm();
+        $form->get('--two-page-form-with-upload[file]')->upload(__DIR__ . '/Fixtures/dummy.txt');
+        $form->get('--two-page-form-with-upload[date][date]')->setValue('1980-12-13');
+        $this->gotoNextFormPage($form);
+        $response = $this->gotoPreviousFormPage($this->browser->getForm());
+        $form = $this->browser->getForm();
+        // Note: we can't use $form['--two-page-form-with-upload']['file']['originallySubmittedResource']['__identity'] because that is overruled by the $form['--two-page-form-with-upload']['file'] element
+        Assert::assertStringContainsString('<input type="hidden" name="--two-page-form-with-upload[file][originallySubmittedResource][__identity]"', $response->getBody()->getContents());
+        Assert::assertSame('1980-12-13', $form->get('--two-page-form-with-upload[date][date]')->getValue());
+    }
+
     /**
      * This is an edge-case which occurs if somebody makes the formState persistent, which can happen when subclassing the FormRuntime.
      *

From 13055b6d8bc5abd298f0bb4a32394c7bff7a3fe7 Mon Sep 17 00:00:00 2001
From: Bastian Waidelich <b.waidelich@wwwision.de>
Date: Thu, 5 Aug 2021 12:30:00 +0200
Subject: [PATCH 2/2] Cosmetic fix to satisfy StyleCI checks

---
 Tests/Unit/Persistence/YamlPersistenceManagerTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Tests/Unit/Persistence/YamlPersistenceManagerTest.php b/Tests/Unit/Persistence/YamlPersistenceManagerTest.php
index 9d8f432..e2fa7f8 100644
--- a/Tests/Unit/Persistence/YamlPersistenceManagerTest.php
+++ b/Tests/Unit/Persistence/YamlPersistenceManagerTest.php
@@ -32,7 +32,8 @@ public function setUp(): void
     {
         vfsStream::setup('someSavePath');
         $this->yamlPersistenceManager = new YamlPersistenceManager();
-        $this->yamlPersistenceManager->injectSettings([
+        $this->yamlPersistenceManager->injectSettings(
+            [
                 'yamlPersistenceManager' =>
                     ['savePath' => vfsStream::url('someSavePath')
                     ]