http://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692006-11-14T15:21:27ZTYPO3 ForgeTYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=432822006-11-14T15:21:27ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>I'll take care of that.</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=432832006-11-14T16:31:21ZPopy no-lastname-givenpopy.dev@gmail.com
<ul></ul><p>There's a begin of solution : $TYPO3_CONF_VARS['FE']['pageNotFoundOnCHashError'] = 1;</p>
<p>But the TSFE doesn't really checks the cHash validity :(</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=432842006-11-14T16:57:29ZChristian Reitercr@cxd.de
<ul></ul><p>Hi,<br />I used a very simple solution for this when I had the problem,<br />in my case I made the reduction to integer default since I only had integer linkvars.</p>
<p>in the class.tslib_pagegen.php firstly</p>
<p>$GLOBALS['TSFE']->linkVars = ''.$GLOBALS['TSFE']->config['config']['linkVars'];<br />if ($GLOBALS['TSFE']->linkVars) {<br /> $linkVarArr = explode(',',$GLOBALS['TSFE']->linkVars);<br /> $GLOBALS['TSFE']->linkVars='';<br /> reset($linkVarArr);<br /> while(list(,$val)=each($linkVarArr)) {<br /> $val=trim($val);<br /> $GET = t3lib_div::_GET();<br /> if ($val && isset($GET[$val])) {<br /> if (!is_array($GET[$val])) {// CR: Almost anything can be added as linkvar and will be reoutput, what do we usually need?<br /> $theValue=rawurlencode($GET[$val]);</p>
<pre><code>if (!$GLOBALS['TSFE']->config['config']['allowNonNumericLinkVars']){$theValue=intval($theValue);}</code></pre>
<pre><code>$GLOBALS['TSFE']->linkVars.='&'.$val.'='.$theValue;<br /> } else {<br /> $GLOBALS['TSFE']->linkVars.=t3lib_div::implodeArrayForUrl($val,$GET[$val]); // -> if using arrays as linkvars, have to deal with this<br /> }<br /> }<br /> }<br />}</code></pre>
<p>and in t3lib_div put a similar check in the function implodeArrayForUrl <br />Since implodeArrayForUrl is used in many places, not only for linkvars the updated function should not just check the config parameter, <br />instead there should be a new parameter passed to it in the function call such as "makeint" just as there already is a skipBlank and rawurlencodeParamName option<br />Otherwise maybe some things might be turned to integers that shouldn´t (from pibase or wherever...)</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=432852006-11-14T17:22:55ZPopy no-lastname-givenpopy.dev@gmail.com
<ul></ul><p>A beginning of solution :</p>
<p><a class="external" href="http://typo3.org/extensions/repository/view/pp_chashchecker/1.0.0/?no_cache=1">http://typo3.org/extensions/repository/view/pp_chashchecker/1.0.0/?no_cache=1</a></p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=1129942012-04-18T22:09:19ZChris topher
<ul><li><strong>Category</strong> deleted (<del><i>Communication</i></del>)</li><li><strong>Target version</strong> deleted (<del><i>0</i></del>)</li><li><strong>PHP Version</strong> deleted (<del><i>4</i></del>)</li></ul> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=1693772013-06-14T05:55:20ZStanislas Rolland
<ul></ul><p>I wonder why this issue was closed. It seems to me that the issue can still be reproduced in TYPO3 6.1.</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=1812572013-09-06T09:50:06ZMichael Stuckimichael.stucki@typo3.org
<ul><li><strong>Status</strong> changed from <i>Closed</i> to <i>New</i></li><li><strong>Assignee</strong> deleted (<del><i>Michael Stucki</i></del>)</li></ul><p>I agree with Stanislas, therefore I'm reopening the ticket.</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=2328902014-10-15T15:21:46ZChristian Reitercr@cxd.de
<ul></ul><p>Hasn't this been solved years ago when the option to control linkvars was added?</p>
<pre><code>config.linkVars = L(0-20)</code></pre>
<p>etc...</p>
<p>If just "config.linkVars = L" is used the described abuse is still possible but nowadays that would be considered a configuration error.</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=2329022014-10-15T15:57:13ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>I agree that this can be circumvented with the example you mentioned. Still, it doesn't work out of the box. I am not sure if that will be possible, though...</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=2329072014-10-15T16:14:49ZChristian Reitercr@cxd.de
<ul></ul><p>I guess "out of the box" would mean that by default linkvars allow only integers, and anything else has to be explicitly allowed by configuration.<br />I wouldn't mind that but it could break existing configurations that use other kinds of linkvars.</p> TYPO3 Core - Feature #16715: Pollution of linkvars, and resulting spammed cache, is a recurrent complaint.http://forge.typo3.org/issues/16715?journal_id=2329142014-10-15T16:44:52ZMichael Stuckimichael.stucki@typo3.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>In this case I better prefer to leave it as is. So let me close this issue.<br />If anyone has objections, please come up with a suggestion and I will reopen the issue...</p>