Bug #98264: Logging "unsupported" HTTP request methods as an exception into the log is wrong - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #98264

open

Logging "unsupported" HTTP request methods as an exception into the log is wrong

Added by Stefan P over 1 year ago. Updated 9 months ago.

Status:

Under Review

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2022-09-06

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

The class TYPO3\CMS\Core\Http\Request will log any "unsupported" HTTP method as an Exception to the logs. \InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);

Knowing this one can exploit any modern TYPO3 setup by simply doing curl -XUNKWNONMETHOD https://target-host in a "slow" loop (slow enough to not be considered a DoS) and spam everyones sys_log.

The correct way of handling an unsupported method is by answering with 501 (Not Implemented).

Discovered in v10, but still valid in current master.

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (2)

Bug #98264

Logging "unsupported" HTTP request methods as an exception into the log is wrong

Updated by Stefan P over 1 year ago

Updated by Stefan P over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review 11 months ago

Updated by Stefan P 9 months ago

Updated by Stefan Bürk 28 days ago