Project

General

Profile

Actions
Copy link

Bug #21337

closed

page.config.linkVars = L produces (xcross?) additional and suspected params

Added by Alex Tuveri over 14 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Michael Stucki
Category:
-
Target version:
-
Start date:
2009-10-22
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi folks,
forgive me but I can't know If I'm right posting here. Infact this problems should be associated to ttnews, content rendering or TYPO3 core.

This is what happens:

  • in my TYPOSCRIPT I defined;
    page.config.linkVars = L
  • howevere I don't use linkVars
  • when this configuration is active the behaviour occurs and the links in several pages are modified as follow:

href="Title-of-my-Page.485.0.html?&L=0%2Fxmlrpc.php%3F%2F%22postnuke%22%3F%20%2Fxmlrpc.php"
onfocus="blurLink(this);"

  • inspecting the database, table: cache_pages, field: cache_data I see this:

s:2:"id";i:364;s:4:"type";i:0;s:7:"gr_list";s:4:"0,-1";s:2:"MP";s:0:"";s:5:"cHash";a:3:{s:1:"L";s:25:"0/xmlrpc.php?/"postnuke"?";s:13:"encryptionKey";s:32:"8d5e12910fbc44afa9c361259a83ade6";s:18:"tx_ttnews[pointer]";s:1:"6";}}";}

  • it seems that xmlrpc.php and postnuke string are addded through a tx_ttnews[pointer]

If i disable the use of linkVars all is OK, looking for postnuke or xmlrpc in the database the entries disappear. I suspect that there is some bug....
or security problem,

please help, you have all my collaboration to solve.

Thank you very much

(issue imported from #M12311)

Actions
Copy link
 #1

Updated by Ralf Hettinger over 14 years ago

If you dont use linkVars, you should disable this config settings.
If you use linkVars, it is highly recommended to specify the allowed values as documented here: http://typo3.org/documentation/document-library/core-documentation/doc_core_tsref/4.2.1/view/1/7/#id4324729

Actions
Copy link
 #2

Updated by Georg Ringer over 14 years ago

this is no bug but a normal behaviour. if you only want to allow integers, you need to specify that!

this is no bug and entry can be closed!

Actions
Copy link
 #3

Updated by Alex Tuveri over 14 years ago

Hmmmm thank you for your note, but I have several suspect.
You sau that this is a normal behaviour, but it is not clear who and how is the string composed; it seems that someone want to use typo3 to run postnuke modules.

However I used the following configuration:

page.config.linkVars = L

to say TYPO3 that the string to use for the language is L (&L=) ...

Actions
Copy link
 #4

Updated by Georg Ringer over 14 years ago

this is just a bot who adds extra vars to everything it can find.

again: please look at the link of ralf! use config.linkVars = L(1-3) and only the values 1,2 and 3 are allowed and will be attached to all links. if you just use L, everything can be used

Actions
Copy link
 #5

Updated by Alex Tuveri over 14 years ago

understand, used
config.linkVars=L(0,1) to suppress undesired values added from bot...

thank you very much.

Actions
Copy link
 #6

Updated by Michael Stucki over 14 years ago

This is not a bug.

Actions
Copy link
 #7

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF