Feature #90134
closed
Send 400 - BAD REQUEST on invalid hmacs from extbase forms
Added by Christian Eßl over 4 years ago. Updated almost 2 years ago.
100%
Description
See issue #87917.
If a bot submits a faulty extbase form (like with a manipulated __trustedProperties field), usually the following uncaught exception will be thrown:
The given string was not appended with a valid HMAC
The server will then - as with any other exception - send a status 500 back, that makes it look as if an a server error occured. This also means the error will then be automatically logged with any logging tool you are using and you would have to either manually:
- block the bots that are using the form wrong
- create a rule in your logging tool to prevent those messages from flooding your logs.
I think it would be better to just send a status code "400 - BAD REQUEST" in this case. As this actually comes from a bad client request the server can't compute.
Updated by Christian Eßl over 4 years ago
- Related to Bug #87917: Bot manipulated form fields lead to exception added
Updated by Christian Eßl about 4 years ago
- Subject changed from Send 404 - BAD REQUEST on invalid hmacs from extbase forms to Send 400 - BAD REQUEST on invalid hmacs from extbase forms
Updated by Gerrit Code Review about 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272
Updated by Gerrit Code Review about 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272
Updated by Gerrit Code Review about 4 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272
Updated by Christian Eßl about 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f553d918cb69eb9dc525cad689ce44c08e9b5f43.
Updated by
Updated by Gerrit Code Review about 4 years ago
- Status changed from Closed to Under Review
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274
Updated by Gerrit Code Review about 4 years ago
Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274
Updated by Gerrit Code Review about 4 years ago
Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274
Updated by Gerrit Code Review about 4 years ago
Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274
Updated by Christian Eßl about 4 years ago
- Status changed from Under Review to Resolved
Applied in changeset b7bb01e5b71de7f37886866363109f494fbd1e99.
Updated by Christoph Römer almost 4 years ago
I am sorry to get to this issue once again... it seems like the Problem is solved but not for me. Now my Typo3-Logs are flooded with the bad requests-Exception instead... so nothing is won. I am running several Typo3 9.5.20 Sites on a Mittwald-Server and some of them throwing this Exception 200 times a day - wich is a littel bit annoying as you can imagine.
For Example:
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /html/typo3/typo3_src-9.5.20/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 136. Requested URL: https://www.esther-muench.de/startseite?tx_powermail_pi1%%5Baction%%5D=confirmation&tx_powermail_pi1%%5Bcontroller%%5D=Form&cHash=d6af9e27348305de23590d3dc3af1c30
So I am looking for Help since a few years now (I am not competent enough to solve it by my self I must admit)...
Updated by Martin R. Krause over 3 years ago
This issue is NOT resolved. Now we have a different exception - BadRequestException - but it still floods the TYPO3 log. There is no option to prevent this.
Updated by varioous OG over 3 years ago
- Status changed from Closed to New
Hi,
in Version 10.4.6 still no changes. Always find messages like that in the Protocol:
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /xxxxxxxxx/htdocs/public/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 142. Requested URL: xxxxxxxxx/kontakt?tx_vayoga_contact%%5Baction%%5D=index&tx_vayoga_contact%%5Bcontroller%%5D=Contact&cHash=1af7168931cf44716b07b683ad913967
Thanks and kind regards,
various
Updated by Anonymous over 3 years ago
I am wondering, why the following try-catch emits its own message - instead of just reusing the original messages of the exceptions it catches?
try {
$serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken);
} catch (InvalidHashException | InvalidArgumentForHashGenerationException $e) {
throw new BadRequestException('The HMAC of the form could not be validated.', 1581862822);
}
This would help debugging on production systems a lot. Bugfix?
Updated by Alexander Rotzsch over 3 years ago
I can confirm this for 9.5.22. We have about 10-40 of those entries per day! Not only the logs get flooded, it's also hard to spot real error-logs that are lurking inbetween. A solution would be appreciated. ;) Example:
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /var/www/typo3/public/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 136. Requested URL: https://www.exampledomain.com/unternehmen/kontakt?tx_powermail_pi1%%5Baction%%5D=create&tx_powermail_pi1%%5Bcontroller%%5D=Form&cHash=3e78aed6aa31a247482c8cbe29b17a11
Updated by Mike Street over 3 years ago
Would like to echo the above comments - if this error is triggered by TYPO3 evaluating the user as "spam", I don't see why it needs to fill the `typo3_XXX` log up, especially with such verbose information and an `alert` status.
Apologies if I have misunderstood, but my impression is that nothing can be done with this error as a site maintainer? If that is the case it would be good to at least have the option of disabling this error.
I get the following with 9.5.24:
Mon, 08 Feb 2021 11:12:20 +0000 [ALERT] request="b21030be741ad" component="TYPO3.CMS.Frontend.ContentObject.Exception.ProductionExceptionHandler": Oops, an error occurred! Code: 202102081112203a990003 - {"exception":"TYPO3\\CMS\\Core\\Error\\Http\\BadRequestException: The HMAC of the form could not be validated. in /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php:136
Stack trace:
#0 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php(155): TYPO3\\CMS\\Extbase\\Mvc\\Controller\\MvcPropertyMappingConfigurationService->initializePropertyMappingConfigurationFromRequest(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Controller\\Arguments))
#1 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Dispatcher.php(73): TYPO3\\CMS\\Extbase\\Mvc\\Controller\\ActionController->processRequest(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Response))
#2 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Web/FrontendRequestHandler.php(92): TYPO3\\CMS\\Extbase\\Mvc\\Dispatcher->dispatch(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Response))
#3 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Core/Bootstrap.php(172): TYPO3\\CMS\\Extbase\\Mvc\\Web\\FrontendRequestHandler->handleRequest()
#4 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Core/Bootstrap.php(159): TYPO3\\CMS\\Extbase\\Core\\Bootstrap->handleRequest()
#5 [internal function]: TYPO3\\CMS\\Extbase\\Core\\Bootstrap->run('', Array)
....
Updated by Torben Hansen about 3 years ago
- Related to Bug #93667: Disable logging of invalid requests due to manipulated form submissions added
Updated by Christoph Römer about 3 years ago
Apologies if I have misunderstood, but my impression is that nothing can be done with this error as a site maintainer? If that is the case it would be good to at least have the option of disabling this error.
THANK YOU! I am dealing with this for several years now... nothing happens. VERRY disappointing. Up to 100 "Errors" a day...
Is there ANYTHING going on to solve that S&#=&t?
Updated by Torben Hansen about 3 years ago
There is an open patch ready for test and review: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68196
Updated by Torben Hansen about 3 years ago
Patch has been merged to master and v10, so I think this issue can be closed
Updated by Riccardo De Contardi about 3 years ago
- Status changed from New to Closed
I close this issue for now; if you think that this is the wrong decision or experience the issue again please reopen it or ping me and I'll do.
Thank you.
Updated by Christian Wellinghorst over 2 years ago
- Status changed from Closed to New
IMHO this problem still exists - the Exception 'The HMAC of the form could not be validated.' (Code 1581862822) is still logged for us WHEN IN PRODUCTION CONTEXT (note that this does NOT happen - at least in our tests until now - when in Development Context).
The reason is obviously that the exception gets caught by TYPO3\CMS\Frontend\ContentObject\Exception\ProductionExceptionHandler which also causes the log entry to be written. So basically: the fix does not seem to apply as soon as Production context is active. The only way we could find to work around this for now was to add the exception code to the list of ignored codes as per this site: https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/7.0/Feature-47919-CatchContentRenderingExceptions.html
Edit: Sorry, forgot to mention - this behavior occurs in Typo3 10.4.21 for us, not testet in v9 or v11
Updated by Mohamed Masmoudi almost 2 years ago
I'm still have the same issue in the production context, Typo3 v11.
component="TYPO3.CMS.Frontend.ContentObject.Exception.ProductionExceptionHandler": Oops, an error occurred! Code: 20220616140959da0cf9eb- BadRequestException: The HMAC of the form could not be validated., in file /html/typo3/web/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php:142 - {"exception":"TYPO3\\CMS\\Core\\Error\\Http\\BadRequestException: The HMAC of the form could not be validated.
Updated by Torben Hansen almost 2 years ago
- Related to Task #97830: Do not log HMAC validation errors in contentObject exception handler added
Updated by Torben Hansen almost 2 years ago
- Status changed from New to Closed
The patch merged with #97830 (for v11.5 and main) now also prevents logging of failed HMAC validations for ProductionExceptionHandler. I'll close this ticket again.