Bug #28352
closedtslib_cObj->typolink generate a cHash even if not needed
100%
Description
The typolink function generate a cHash if there's some "additionalParams".
In most case that's not a problem, but if every additional parameter is filtered out in t3lib_div::cHashParams (with hooks, for instance), a cHash is still generated (as typolink will always hash the return t3lib_div::cHashParams' value)
As cHash validity is still not checked if no cHash was given (which is another bug), fixing only typolink function could be enougth to solve this little bug.
If needed, I can provide patche(s).
BTW, the generated cHash will be (one of the) valid for every url without get parameters (as queryString is "exploded" instead of "trimExploded", that kind of urls can have 2 different cHashes, depending on the presence of a "core parameter").
A malicius user could exploit this issue to get those 2 différents cHashes and "triple cache" every page on a typo3 instance, resulting in a (light) cache flooding.
Updated by Tolleiv Nietsch over 13 years ago
- Status changed from New to Needs Feedback
Would you mind to send a patch to Gerrit?
Updated by Popy no-lastname-given over 13 years ago
Done ! Had hard time using git for the first time, sorry for the lack of commit message.
As I'm a Git/Gerrit beginner, I worked on the "master" branch. I think it would be better to rewrite a bit more stuff (like, making t3lib_div::generateCHash returning the &cHash=xxx or an empty string, in order to reduce the amount of lines in typolink function)
Updated by Mr. Hudson over 13 years ago
Patch set 2 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456
Updated by Mr. Hudson over 13 years ago
Patch set 3 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456
Updated by Tolleiv Nietsch over 13 years ago
- Status changed from Needs Feedback to Under Review
Updated by Mr. Hudson over 13 years ago
Patch set 4 of change Id6a015e6bd89e9baeafd9532d4a21018adf91691 has been pushed to the review server.
It is available at http://review.typo3.org/3456
Updated by Xavier Perseguers over 13 years ago
- Status changed from Under Review to Resolved
- Target version set to 4.6.0-RC1
- % Done changed from 0 to 100
- TYPO3 Version changed from 4.5 to 4.6
Updated by Riccardo De Contardi over 7 years ago
- Status changed from Resolved to Closed