Bug #102567
open
Send 400 Bad Request in case of Extbase POST request with missing argument
0%
Description
Given the following setup:
- An Extbase action with a required argument
- That Extbase action only will be called via POST (this can not be enforced yet, see: https://decisions.typo3.org/t/align-extbase-more-with-symfony/)
- The action is called without that argument
Right now Extbase would throw an exception: https://github.com/TYPO3/typo3/blob/v12.4.8/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php#L818
Proposal: Extbase should deliver a "400 Bad Request".
This can happen if stupid bots crawl a site. This might spam the logs with the Extbase exception.
This can be implemented without https://decisions.typo3.org/t/align-extbase-more-with-symfony/. That than can come on top in order to enforce Extbase to only call the action if the current request is a POST request. That again prevents flooding the logs by bad bots that might call the action via get request.
Updated by Simon Schaufelberger 5 months ago
This is my current solution as a workaround in a controller:
public function processRequest(RequestInterface $request): ResponseInterface
{
if ($request->getMethod() === 'GET' && $request->getControllerActionName() === 'delete') {
$content = GeneralUtility::makeInstance(ErrorPageController::class)->errorAction(
'Method not allowed',
'GET method not allowed for this action!',
AbstractMessage::ERROR,
0,
405
);
throw new PropagateResponseException(new HtmlResponse($content, 405));
}
return parent::processRequest($request);
}
The correct http status code is 405 in this case.