Bug #21337
closed
page.config.linkVars = L produces (xcross?) additional and suspected params
0%
Description
Hi folks,
forgive me but I can't know If I'm right posting here. Infact this problems should be associated to ttnews, content rendering or TYPO3 core.
This is what happens:
- in my TYPOSCRIPT I defined;
page.config.linkVars = L
- howevere I don't use linkVars
- when this configuration is active the behaviour occurs and the links in several pages are modified as follow:
href="Title-of-my-Page.485.0.html?&L=0%2Fxmlrpc.php%3F%2F%22postnuke%22%3F%20%2Fxmlrpc.php"
onfocus="blurLink(this);"
- inspecting the database, table: cache_pages, field: cache_data I see this:
s:2:"id";i:364;s:4:"type";i:0;s:7:"gr_list";s:4:"0,-1";s:2:"MP";s:0:"";s:5:"cHash";a:3:{s:1:"L";s:25:"0/xmlrpc.php?/"postnuke"?";s:13:"encryptionKey";s:32:"8d5e12910fbc44afa9c361259a83ade6";s:18:"tx_ttnews[pointer]";s:1:"6";}}";}
- it seems that xmlrpc.php and postnuke string are addded through a tx_ttnews[pointer]
If i disable the use of linkVars all is OK, looking for postnuke or xmlrpc in the database the entries disappear. I suspect that there is some bug....
or security problem,
please help, you have all my collaboration to solve.
Thank you very much
(issue imported from #M12311)
Updated by Ralf Hettinger about 15 years ago
If you dont use linkVars, you should disable this config settings.
If you use linkVars, it is highly recommended to specify the allowed values as documented here: http://typo3.org/documentation/document-library/core-documentation/doc_core_tsref/4.2.1/view/1/7/#id4324729
Updated by Georg Ringer about 15 years ago
this is no bug but a normal behaviour. if you only want to allow integers, you need to specify that!
this is no bug and entry can be closed!
Updated by Alex Tuveri about 15 years ago
Hmmmm thank you for your note, but I have several suspect.
You sau that this is a normal behaviour, but it is not clear who and how is the string composed; it seems that someone want to use typo3 to run postnuke modules.
However I used the following configuration:
page.config.linkVars = L
to say TYPO3 that the string to use for the language is L (&L=) ...
Updated by Georg Ringer about 15 years ago
this is just a bot who adds extra vars to everything it can find.
again: please look at the link of ralf! use config.linkVars = L(1-3) and only the values 1,2 and 3 are allowed and will be attached to all links. if you just use L, everything can be used
Updated by Alex Tuveri about 15 years ago
understand, used
config.linkVars=L(0,1) to suppress undesired values added from bot...
thank you very much.
Updated by 
Updated by