Bug #102727
openCanonicalizationUtility does not remove unknown parameters
0%
Description
In TYPO3 11 (and 10), when I request a page with some random parameter, it will be kept in the canonical URL:
I open this URL https://project.ddev.site/some/page/?test=1
and will get a page with the canonical URL https://project.ddev.site/some/page/?test=1&cHash=cd723811a5eabde4293bd326995d91e1
Since test
is not a TYPO3 core parameter and was also not added to $GLOBALS['TYPO3_CONF_VARS']['FE']['additionalCanonicalizedUrlParameters']
I would expect it to be dropped from the canonical URL.
As it stands currently, the first request will create the canonical URL with whatever parameters, and all further requests will receive the cached page with the wrong canonical URL.
As far as I can tell, TYPO3\CMS\Frontend\Utility\CanonicalizationUtility
is comparing parameters relevant for cHash calculation with the URL parameters - which always match.
Updated by Torben Hansen 11 months ago
- Status changed from New to Needs Feedback
I think this problem has been adressed in TYPO3-PSA-2021-003 - see https://typo3.org/security/advisory/typo3-psa-2021-003
So most likely, the problem has been fixed in TYPO3 v12 only, since it is a breaking change which might cause unwanted side effects for existing TYPO3 websites. For TYPO3 v11 or below, please use https://extensions.typo3.org/extension/trusted_url_params to mitigate the problem.
Can you please test and report back, if installing the trusted_url_params extension fixes your problem.
Updated by Moritz Karbaum 11 months ago
Thank you for the hint!
I've installed trusted_url_params, and it doesn't seem to have any adverse effects.
Updated by Riccardo De Contardi 10 months ago
@Moritz Karbaum thank you for your feedback; do you think that this issue could be closed?
Thanks again
Updated by Marco Dinnbier 9 months ago ยท Edited
Hi,
i've faced the same issue. In my opinion, the issue is triggered by a wrong comparison in CanonicalizationUtility, see https://github.com/TYPO3/typo3/blob/53024568affb67b551588e66cacbcf0e7cc6245b/typo3/sysext/frontend/Classes/Utility/CanonicalizationUtility.php#L56
$urlParameters and $cHashArray are both associative arrays and being compared with array_diff, which compares only values. This should be replaced by array_diff_assoc, which compares the whole array or maybe better array_diff_key.
Best regards,
Marco
Updated by Riccardo De Contardi 7 months ago
- Status changed from Needs Feedback to New