Project

General

Profile

Actions

Bug #103078

closed

Extbase form sent via get always leads to chash error

Added by Nicole Zingg 6 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Extbase
Target version:
-
Start date:
2024-02-07
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If I create a form with method="get" in a simple extbase extension, every form submit leads to a chash error and thus a 404 response.

Steps to reproduce the problem
1. check that the following configuration options are enabled (default settings): [FE][cacheHash][enforceValidation] = true and [FE][pageNotFoundOnCHashError] = true
2. in a simple extbase extension: create a form with the f:form viewhelper (the form must not even contain a field)
3. configure the form to be sent via get method
4. submit the form

Actual results
404 Error (because no chash is generated)

Expected results
the response of my extbase action

Additional notes
As I understand it, the get parameters of a form could be excluded from the chash calculation via ['FE']['cHashExcludedParameters']. But for the form to work __referrer and __trustedProperties would also need to be excluded. Is that how it's intended to be? If yes, does that mean the get method can only be used if either enforceValidation or pageNotFoundOnCHashError are set to false, or all the parameters are excluded from the chash calculation?

About the use case: a list should be filtered. We use a form for the filter options because there are multiple filters with multiple checkboxes. The form is sent via GET so the filter parameters can be added in pagination links via addQueryString. The thing with pagination could probably also be solved somehow if the form is sent via POST, but I don't really see a way any extbase GET-form would work with the standard settings.

Actions #1

Updated by Torben Hansen about 2 months ago

  • Status changed from New to Needs Feedback

Is your target form action cachable or uncached? If it is cachable, then this may be the problem, since it is not possible to pass various GET parameters to a cachable action, as this is security relevant and would lead to cache poisoning and denial of service.

Actions #2

Updated by Nicole Zingg about 2 months ago

Torben Hansen wrote in #note-1:

Is your target form action cachable or uncached? If it is cachable, then this may be the problem, since it is not possible to pass various GET parameters to a cachable action, as this is security relevant and would lead to cache poisoning and denial of service.

the behavior seems to be the same for uncachable actions. i still get the chash error after submitting the form (if pageNotFoundOnCHashError is disabled it works, if it is active, I get a 404).

Actions #3

Updated by Torben Hansen about 2 months ago

I'm not able to confirm the described behavior. When the action is uncached, it is possible to submit the form via method GET and with pageNotFoundOnCHashError active. I just tested this on one of my extensions.

Note: If you changed your extbase action from cached to uncached, please make sure to clean all caches.

If the problem persists for an uncached extbase action, please check in rendered HTML, if a cHash is appended to the action url or in a hidden input field somewhere.

Actions #4

Updated by Nicole Zingg about 2 months ago

  • % Done changed from 0 to 100

Torben Hansen wrote in #note-3:

I'm not able to confirm the described behavior. When the action is uncached, it is possible to submit the form via method GET and with pageNotFoundOnCHashError active. I just tested this on one of my extensions.

Note: If you changed your extbase action from cached to uncached, please make sure to clean all caches.

If the problem persists for an uncached extbase action, please check in rendered HTML, if a cHash is appended to the action url or in a hidden input field somewhere.

The chash is somehow still appended to the form action url, also after clearing all caches. But that's another problem then.

So the question about the get-form is answered for me, thank you for your responses!

Actions #5

Updated by Garvin Hicking about 2 months ago

  • Status changed from Needs Feedback to Closed
Actions

Also available in: Atom PDF