Project

General

Profile

Actions

Bug #28352

closed

tslib_cObj->typolink generate a cHash even if not needed

Added by Popy no-lastname-given almost 13 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Caching
Target version:
Start date:
2011-07-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

The typolink function generate a cHash if there's some "additionalParams".

In most case that's not a problem, but if every additional parameter is filtered out in t3lib_div::cHashParams (with hooks, for instance), a cHash is still generated (as typolink will always hash the return t3lib_div::cHashParams' value)

As cHash validity is still not checked if no cHash was given (which is another bug), fixing only typolink function could be enougth to solve this little bug.
If needed, I can provide patche(s).

BTW, the generated cHash will be (one of the) valid for every url without get parameters (as queryString is "exploded" instead of "trimExploded", that kind of urls can have 2 different cHashes, depending on the presence of a "core parameter").

A malicius user could exploit this issue to get those 2 différents cHashes and "triple cache" every page on a typo3 instance, resulting in a (light) cache flooding.


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #32025: cHash generation does not respect linkVarsClosedHelmut Hummel2011-11-23

Actions
Actions #1

Updated by Tolleiv Nietsch almost 13 years ago

  • Status changed from New to Needs Feedback

Would you mind to send a patch to Gerrit?

Actions #2

Updated by Popy no-lastname-given almost 13 years ago

Done ! Had hard time using git for the first time, sorry for the lack of commit message.
As I'm a Git/Gerrit beginner, I worked on the "master" branch. I think it would be better to rewrite a bit more stuff (like, making t3lib_div::generateCHash returning the &cHash=xxx or an empty string, in order to reduce the amount of lines in typolink function)

Actions #3

Updated by Mr. Hudson almost 13 years ago

Patch set 2 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456

Actions #4

Updated by Mr. Hudson almost 13 years ago

Patch set 3 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456

Actions #5

Updated by Tolleiv Nietsch almost 13 years ago

  • Status changed from Needs Feedback to Under Review
Actions #6

Updated by Mr. Hudson almost 13 years ago

Patch set 4 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456

Actions #7

Updated by Xavier Perseguers almost 13 years ago

  • Status changed from Under Review to Resolved
  • Target version set to 4.6.0-RC1
  • % Done changed from 0 to 100
  • TYPO3 Version changed from 4.5 to 4.6
Actions #8

Updated by Paints over 12 years ago

Is it possible to merge this in 4.5.x?

Actions #9

Updated by Riccardo De Contardi over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF