Bug #35069
open
addQueryString.exclude should take precedence over config.linkVars
0%
Description
Getting rid of an URL parameter when creating a typolink seems to be impossible using addQueryString.exclude when the parameter is set to the list of config.linkVars.
config.linkVars = L(int)
somelink = TEXT
someline {
value = this link keeps the L parameter
typolink {
parameter.data = TSFE:id
addQueryString = 1
addQueryString.method = GET
addQueryString.exclude = L
}
}
the generated link will contain the parameter L whenever it is set in the calling URL.
the following seems to kinda work as a workaround when RealURL is active and configured to drop an empty L:
somelink.typolink.additionalParams = &L=
the problem can be tracked down to the method linkData() in class.t3lib_tstemplate.php where all the linkVars are being added to the URL:
1379 // linkVars
1380 if ($GLOBALS['TSFE']->config['config']['uniqueLinkVars']) {
1381 if ($addParams) {
1382 $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams), '', FALSE, TRUE);
1383 } else {
1384 $LD['linkVars'] = $GLOBALS['TSFE']->linkVars;
1385 }
1386 } else {
1387 $LD['linkVars'] = $GLOBALS['TSFE']->linkVars . $addParams;
1388 }
linkData() is being called from class.tslib_content.php AFTER gotten rid of the unwanted parameter:
5745 // Query Params:
5746 $addQueryParams = $conf['addQueryString'] ? $this->getQueryArguments($conf['addQueryString.']) : '';
5747 $addQueryParams .= isset($conf['additionalParams.'])
5748 ? trim($this->stdWrap($conf['additionalParams'], $conf['additionalParams.']))
5749 : trim($conf['additionalParams']);
5750 if ($addQueryParams == '&' || substr($addQueryParams, 0, 1) != '&') {
5751 $addQueryParams = '';
5752 }
...
5885 } else { // Internal link or current domain's linking scheme should be used
5886 if ($forceTarget) {
5887 $target = $forceTarget;
5888 }
5889 $LD = $GLOBALS['TSFE']->tmpl->linkData(
5890 $page,
5891 $target,
5892 $conf['no_cache'],
5893 '',
5894 '',
5895 $addQueryParams,
5896 $theTypeP,
5897 $targetDomain
5898 );
i encountered this behaviour in TYPO3 4.5, the source above is from 4.7 though.
Updated by Jigal van Hemert about 12 years ago
- Category set to TypoScript
- Status changed from New to Accepted
- Target version set to 4.5.14
Updated by Helmut Hummel about 12 years ago
- Target version changed from 4.5.14 to 4.7.0-beta3
- Complexity set to hard
Changing that in released version might cause unexpected results. I would not risk to break sites by changing the behavior, but rather change it for a new version.
Updated by Mathias Schreiber over 9 years ago
- Subject changed from addQueryString.exclude does not work for config.linkVars to addQueryString.exclude should take precedence over config.linkVars
- Target version changed from 4.7.0-beta3 to 7.2 (Frontend)
- Is Regression set to No
Updated by Benni Mack almost 9 years ago
- Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Updated by Susanne Moog over 8 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Alex Kellner over 5 years ago
This is still a thing in the latest TYPO3 8.7 version.
Updated by Oliver Hader over 2 years ago
Please also see
TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters
https://typo3.org/security/advisory/typo3-psa-2021-003
Updated by Oliver Hader over 2 years ago
Besides that, I guess the original report is still a topic in TYPO3 v11.
Updated by Gerrit Code Review over 1 year ago
- Status changed from Accepted to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76606
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76606