Project

General

Profile

Actions
Copy link

Bug #102727

open

CanonicalizationUtility does not remove unknown parameters

Added by Moritz Karbaum 4 months ago. Updated 10 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
SEO
Target version:
-
Start date:
2023-12-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In TYPO3 11 (and 10), when I request a page with some random parameter, it will be kept in the canonical URL:

I open this URL https://project.ddev.site/some/page/?test=1 and will get a page with the canonical URL https://project.ddev.site/some/page/?test=1&cHash=cd723811a5eabde4293bd326995d91e1

Since test is not a TYPO3 core parameter and was also not added to $GLOBALS['TYPO3_CONF_VARS']['FE']['additionalCanonicalizedUrlParameters'] I would expect it to be dropped from the canonical URL.

As it stands currently, the first request will create the canonical URL with whatever parameters, and all further requests will receive the cached page with the wrong canonical URL.

As far as I can tell, TYPO3\CMS\Frontend\Utility\CanonicalizationUtility is comparing parameters relevant for cHash calculation with the URL parameters - which always match.

Actions
Copy link
 #1

Updated by Torben Hansen 4 months ago

  • Status changed from New to Needs Feedback

I think this problem has been adressed in TYPO3-PSA-2021-003 - see https://typo3.org/security/advisory/typo3-psa-2021-003

So most likely, the problem has been fixed in TYPO3 v12 only, since it is a breaking change which might cause unwanted side effects for existing TYPO3 websites. For TYPO3 v11 or below, please use https://extensions.typo3.org/extension/trusted_url_params to mitigate the problem.

Can you please test and report back, if installing the trusted_url_params extension fixes your problem.

Actions
Copy link
 #2

Updated by Moritz Karbaum 4 months ago

Thank you for the hint!

I've installed trusted_url_params, and it doesn't seem to have any adverse effects.

Actions
Copy link
 #3

Updated by Riccardo De Contardi 3 months ago

@Moritz Karbaum thank you for your feedback; do you think that this issue could be closed?

Thanks again

Actions
Copy link
 #4

Updated by Marco Dinnbier about 2 months ago ยท Edited

Hi,

i've faced the same issue. In my opinion, the issue is triggered by a wrong comparison in CanonicalizationUtility, see https://github.com/TYPO3/typo3/blob/53024568affb67b551588e66cacbcf0e7cc6245b/typo3/sysext/frontend/Classes/Utility/CanonicalizationUtility.php#L56

$urlParameters and $cHashArray are both associative arrays and being compared with array_diff, which compares only values. This should be replaced by array_diff_assoc, which compares the whole array or maybe better array_diff_key.

Best regards,
Marco

Actions
Copy link
 #5

Updated by Riccardo De Contardi 10 days ago

  • Status changed from Needs Feedback to New
Actions
Copy link

Also available in: Atom PDF