Project

General

Profile

Actions

Bug #102567

open

Send 400 Bad Request in case of Extbase POST request with missing argument

Added by Daniel Siepmann 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Extbase
Target version:
-
Start date:
2023-11-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Given the following setup:

  1. An Extbase action with a required argument
  2. That Extbase action only will be called via POST (this can not be enforced yet, see: https://decisions.typo3.org/t/align-extbase-more-with-symfony/)
  3. The action is called without that argument

Right now Extbase would throw an exception: https://github.com/TYPO3/typo3/blob/v12.4.8/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php#L818

Proposal: Extbase should deliver a "400 Bad Request".

This can happen if stupid bots crawl a site. This might spam the logs with the Extbase exception.

This can be implemented without https://decisions.typo3.org/t/align-extbase-more-with-symfony/. That than can come on top in order to enforce Extbase to only call the action if the current request is a POST request. That again prevents flooding the logs by bad bots that might call the action via get request.

Actions #1

Updated by Simon Schaufelberger 3 months ago

This is my current solution as a workaround in a controller:

    public function processRequest(RequestInterface $request): ResponseInterface
    {
        if ($request->getMethod() === 'GET' && $request->getControllerActionName() === 'delete') {
            $content = GeneralUtility::makeInstance(ErrorPageController::class)->errorAction(
                'Method not allowed',
                'GET method not allowed for this action!',
                AbstractMessage::ERROR,
                0,
                405
            );
            throw new PropagateResponseException(new HtmlResponse($content, 405));
        }

        return parent::processRequest($request);
    }

The correct http status code is 405 in this case.

Actions

Also available in: Atom PDF