TYPO3 Core

I'll take care of that.

There's a begin of solution : $TYPO3_CONF_VARS['FE']['pageNotFoundOnCHashError'] = 1;

But the TSFE doesn't really checks the cHash validity :(

Hi,
I used a very simple solution for this when I had the problem,
in my case I made the reduction to integer default since I only had integer linkvars.

in the class.tslib_pagegen.php firstly

$GLOBALS['TSFE']->linkVars = ''.$GLOBALS['TSFE']->config['config']['linkVars'];
if ($GLOBALS['TSFE']->linkVars) {
$linkVarArr = explode(',',$GLOBALS['TSFE']->linkVars);
$GLOBALS['TSFE']->linkVars='';
reset($linkVarArr);
while(list(,$val)=each($linkVarArr)) {
$val=trim($val);
$GET = t3lib_div::_GET();
if ($val && isset($GET[$val])) {
if (!is_array($GET[$val])) {// CR: Almost anything can be added as linkvar and will be reoutput, what do we usually need?
$theValue=rawurlencode($GET[$val]);

if (!$GLOBALS['TSFE']->config['config']['allowNonNumericLinkVars']){$theValue=intval($theValue);}

$GLOBALS['TSFE']->linkVars.='&'.$val.'='.$theValue;
            } else {
                $GLOBALS['TSFE']->linkVars.=t3lib_div::implodeArrayForUrl($val,$GET[$val]); // -> if using arrays as linkvars, have to deal with this
            }
        }
    }
}

and in t3lib_div put a similar check in the function implodeArrayForUrl
Since implodeArrayForUrl is used in many places, not only for linkvars the updated function should not just check the config parameter,
instead there should be a new parameter passed to it in the function call such as "makeint" just as there already is a skipBlank and rawurlencodeParamName option
Otherwise maybe some things might be turned to integers that shouldn´t (from pibase or wherever...)

A beginning of solution :

http://typo3.org/extensions/repository/view/pp_chashchecker/1.0.0/?no_cache=1

I wonder why this issue was closed. It seems to me that the issue can still be reproduced in TYPO3 6.1.

Hasn't this been solved years ago when the option to control linkvars was added?

config.linkVars = L(0-20)

etc...

If just "config.linkVars = L" is used the described abuse is still possible but nowadays that would be considered a configuration error.

I agree that this can be circumvented with the example you mentioned. Still, it doesn't work out of the box. I am not sure if that will be possible, though...

I guess "out of the box" would mean that by default linkvars allow only integers, and anything else has to be explicitly allowed by configuration.
I wouldn't mind that but it could break existing configurations that use other kinds of linkvars.