Bug #103078
closedExtbase form sent via get always leads to chash error
100%
Description
If I create a form with method="get" in a simple extbase extension, every form submit leads to a chash error and thus a 404 response.
Steps to reproduce the problem
1. check that the following configuration options are enabled (default settings): [FE][cacheHash][enforceValidation] = true and [FE][pageNotFoundOnCHashError] = true
2. in a simple extbase extension: create a form with the f:form viewhelper (the form must not even contain a field)
3. configure the form to be sent via get method
4. submit the form
Actual results
404 Error (because no chash is generated)
Expected results
the response of my extbase action
Additional notes
As I understand it, the get parameters of a form could be excluded from the chash calculation via ['FE']['cHashExcludedParameters']. But for the form to work __referrer and __trustedProperties would also need to be excluded. Is that how it's intended to be? If yes, does that mean the get method can only be used if either enforceValidation or pageNotFoundOnCHashError are set to false, or all the parameters are excluded from the chash calculation?
About the use case: a list should be filtered. We use a form for the filter options because there are multiple filters with multiple checkboxes. The form is sent via GET so the filter parameters can be added in pagination links via addQueryString. The thing with pagination could probably also be solved somehow if the form is sent via POST, but I don't really see a way any extbase GET-form would work with the standard settings.
Updated by Torben Hansen 6 months ago
- Status changed from New to Needs Feedback
Is your target form action cachable or uncached? If it is cachable, then this may be the problem, since it is not possible to pass various GET parameters to a cachable action, as this is security relevant and would lead to cache poisoning and denial of service.
Updated by Nicole Zingg 6 months ago
Torben Hansen wrote in #note-1:
Is your target form action cachable or uncached? If it is cachable, then this may be the problem, since it is not possible to pass various GET parameters to a cachable action, as this is security relevant and would lead to cache poisoning and denial of service.
the behavior seems to be the same for uncachable actions. i still get the chash error after submitting the form (if pageNotFoundOnCHashError is disabled it works, if it is active, I get a 404).
Updated by Torben Hansen 6 months ago
I'm not able to confirm the described behavior. When the action is uncached, it is possible to submit the form via method GET
and with pageNotFoundOnCHashError
active. I just tested this on one of my extensions.
Note: If you changed your extbase action from cached to uncached, please make sure to clean all caches.
If the problem persists for an uncached extbase action, please check in rendered HTML, if a cHash
is appended to the action url or in a hidden input field somewhere.
Updated by Nicole Zingg 6 months ago
- % Done changed from 0 to 100
Torben Hansen wrote in #note-3:
I'm not able to confirm the described behavior. When the action is uncached, it is possible to submit the form via method
GET
and withpageNotFoundOnCHashError
active. I just tested this on one of my extensions.Note: If you changed your extbase action from cached to uncached, please make sure to clean all caches.
If the problem persists for an uncached extbase action, please check in rendered HTML, if a
cHash
is appended to the action url or in a hidden input field somewhere.
The chash is somehow still appended to the form action url, also after clearing all caches. But that's another problem then.
So the question about the get-form is answered for me, thank you for your responses!
Updated by Garvin Hicking 6 months ago
- Status changed from Needs Feedback to Closed