Bug #102567
open
Send 400 Bad Request in case of Extbase POST request with missing argument
0%
Description
Given the following setup:
- An Extbase action with a required argument
- That Extbase action only will be called via POST (this can not be enforced yet, see: https://decisions.typo3.org/t/align-extbase-more-with-symfony/)
- The action is called without that argument
Right now Extbase would throw an exception: https://github.com/TYPO3/typo3/blob/v12.4.8/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php#L818
Proposal: Extbase should deliver a "400 Bad Request".
This can happen if stupid bots crawl a site. This might spam the logs with the Extbase exception.
This can be implemented without https://decisions.typo3.org/t/align-extbase-more-with-symfony/. That than can come on top in order to enforce Extbase to only call the action if the current request is a POST request. That again prevents flooding the logs by bad bots that might call the action via get request.
Updated by Simon Schaufelberger 12 months ago
This is my current solution as a workaround in a controller:
public function processRequest(RequestInterface $request): ResponseInterface
{
if ($request->getMethod() === 'GET' && $request->getControllerActionName() === 'delete') {
$content = GeneralUtility::makeInstance(ErrorPageController::class)->errorAction(
'Method not allowed',
'GET method not allowed for this action!',
AbstractMessage::ERROR,
0,
405
);
throw new PropagateResponseException(new HtmlResponse($content, 405));
}
return parent::processRequest($request);
}
The correct http status code is 405 in this case.
Updated by Oliver Hader 3 months ago
Simon Schaufelberger wrote in #note-1:
This is my current solution as a workaround in a controller:
[...]
The correct http status code is 405 in this case.
Side-note: HTTP status 405 must send an additional Allow header in the response.