Feature #16715
closed
Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.
0%
Description
It is possibie to call a multilanguage Typo3 page with a URL like
http://website.tld/index.php?id=1&L=BuyViagraHere_www.spam.com
This is passed through as a linkvar and displayed in all typolinks.
If it happens that the cache had just been deleted, and is refreshed with this access, the spammed linkvars enter the cache.
It is a frequent phenomenon that spam robots go over pages and submit any and all detected parameter options with their message. Several instances have been documented in the newsgroups where people have had their websites flooded in this way, or have observed other websites with this problem.
This is not a hacking or XSS issue, as no code can be executed and the undesirable parameter is internally used as 0 (default language), however it leads to injection of URLs and messages into all links which is visible e.g. in the status bar and adress bar. This can be considered a form of defacement.
This affects all Linkvars
In practice almost all Linkvars are needed only as integers.
I propose a new configuration option, which enforces numeric linkvars. The point to implement this would be
class.tslib_pagegen.php in typo3/sysext/cms/tslib line 234 ff
taking into consideration also linkvar arrays.
So any non-numeric linkvar would always be put out as 0. For the vast majority of websites who use linkvars only for language parameters and similar things, this could be applied without losing any functionality.
(If special cases of linkvars need to be supported one could perhaps offer the option of adding a RegEx to be applied to linkvars)
See for instance
http://lists.typo3.org/pipermail/typo3-german/2006-November/024408.html
http://lists.typo3.org/pipermail/typo3-dev/2006-April/017091.html
and posting from Nov.14 in typo3.german
(issue imported from #M4514)
Updated by Popy no-lastname-given over 17 years ago
There's a begin of solution : $TYPO3_CONF_VARS['FE']['pageNotFoundOnCHashError'] = 1;
But the TSFE doesn't really checks the cHash validity :(
Updated by Christian Reiter over 17 years ago
Hi,
I used a very simple solution for this when I had the problem,
in my case I made the reduction to integer default since I only had integer linkvars.
in the class.tslib_pagegen.php firstly
$GLOBALS['TSFE']->linkVars = ''.$GLOBALS['TSFE']->config['config']['linkVars'];
if ($GLOBALS['TSFE']->linkVars) {
$linkVarArr = explode(',',$GLOBALS['TSFE']->linkVars);
$GLOBALS['TSFE']->linkVars='';
reset($linkVarArr);
while(list(,$val)=each($linkVarArr)) {
$val=trim($val);
$GET = t3lib_div::_GET();
if ($val && isset($GET[$val])) {
if (!is_array($GET[$val])) {// CR: Almost anything can be added as linkvar and will be reoutput, what do we usually need?
$theValue=rawurlencode($GET[$val]);
if (!$GLOBALS['TSFE']->config['config']['allowNonNumericLinkVars']){$theValue=intval($theValue);}$GLOBALS['TSFE']->linkVars.='&'.$val.'='.$theValue;
} else {
$GLOBALS['TSFE']->linkVars.=t3lib_div::implodeArrayForUrl($val,$GET[$val]); // -> if using arrays as linkvars, have to deal with this
}
}
}
}and in t3lib_div put a similar check in the function implodeArrayForUrl
Since implodeArrayForUrl is used in many places, not only for linkvars the updated function should not just check the config parameter,
instead there should be a new parameter passed to it in the function call such as "makeint" just as there already is a skipBlank and rawurlencodeParamName option
Otherwise maybe some things might be turned to integers that shouldn´t (from pibase or wherever...)
Updated by Popy no-lastname-given over 17 years ago
A beginning of solution :
http://typo3.org/extensions/repository/view/pp_chashchecker/1.0.0/?no_cache=1
Updated by Chris topher about 12 years ago
- Category deleted (
Communication) - Target version deleted (
0) - PHP Version deleted (
4)
Updated by Stanislas Rolland almost 11 years ago
I wonder why this issue was closed. It seems to me that the issue can still be reproduced in TYPO3 6.1.
Updated by Michael Stucki over 10 years ago
- Status changed from Closed to New
- Assignee deleted (
Michael Stucki)
I agree with Stanislas, therefore I'm reopening the ticket.
Updated by Christian Reiter over 9 years ago
Hasn't this been solved years ago when the option to control linkvars was added?
config.linkVars = L(0-20)etc...
If just "config.linkVars = L" is used the described abuse is still possible but nowadays that would be considered a configuration error.
Updated by Michael Stucki over 9 years ago
I agree that this can be circumvented with the example you mentioned. Still, it doesn't work out of the box. I am not sure if that will be possible, though...
Updated by Christian Reiter over 9 years ago
I guess "out of the box" would mean that by default linkvars allow only integers, and anything else has to be explicitly allowed by configuration.
I wouldn't mind that but it could break existing configurations that use other kinds of linkvars.
Updated by Michael Stucki over 9 years ago
- Status changed from New to Rejected
In this case I better prefer to leave it as is. So let me close this issue.
If anyone has objections, please come up with a suggestion and I will reopen the issue...