Bug #68728


cHash check in AbstractPlugin is wrong

Added by Andreas Allacher over 8 years ago. Updated over 4 years ago.

Should have
Link Handling, Site Handling & Routing
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Currently AbstractPlugin does the following cHash check:

$this->piVars = GeneralUtility::_GPmerged($this->prefixId);
if ($this->pi_checkCHash && count($this->piVars)) {

Which is wrong for the following reason:

1.) It ignores cHash exclude parameters and various other cHash settings
2.) It checks for POST & GET variables. However, usually cHash only consists of GET variables.
Of course, that might be why one wants to check for cHash values. However, in the case of wrong POST variables I think it should only disable the caching instead of resulting in pageNotFound error.
And providing the correct cHash for POST variables is nearly impossible. Actually if a form is sent via GET variables it would also be an issue which is why this is usually handled by manually disabling caching in the plugin itself.

In that regard:
Is that check even necessary as the cHash should already be verified by the TypoScriptFrontendController? Of course, it wouldn't check for POST variables.

Actions #1

Updated by Andreas Allacher over 8 years ago

I know there are similar tickets to this but they are not exactly the same.

Actions #2

Updated by Riccardo De Contardi almost 5 years ago

Is this issue still valid? As far as I see the code has changed (at least on latest master) where I found:

frontend/Classes/Plugin/AbstractPlugin.php line 251 and followings:

        if ($this->prefixId) {
            $this->piVars = GeneralUtility::_GPmerged($this->prefixId);
            // cHash mode check
            // IMPORTANT FOR CACHED PLUGINS (USER cObject): As soon as you generate cached plugin output which
            // depends on parameters (eg. seeing the details of a news item) you MUST check if a cHash value is set.
            // Background: The function call will check if a cHash parameter was sent with the URL because only if
            // it was the page may be cached. If no cHash was found the function will simply disable caching to
            // avoid unpredictable caching behaviour. In any case your plugin can generate the expected output and
            // the only risk is that the content may not be cached. A missing cHash value is considered a mistake
            // in the URL resulting from either URL manipulation, "realurl" "grayzones" etc. The problem is rare
            // (more frequent with "realurl") but when it occurs it is very puzzling!
            if ($this->pi_checkCHash && !empty($this->piVars)) {
Actions #3

Updated by Andreas Allacher almost 5 years ago

I don't think anything has changed, has it? _GPmerged still delivers GET and POST variables, however, only GET variables are relevant für cHash. It doesn't seem to take exclude arguments into account.
However, it is possible that the issue was fixed due to other changes. I haven't tested it in quite some time.

Actions #4

Updated by Riccardo De Contardi over 4 years ago

  • Category set to Link Handling, Site Handling & Routing
Actions #5

Updated by Benni Mack over 4 years ago

  • Status changed from New to Closed

Hey Andreas,

this was solved with Site Handling (as proper GET / POST parameters are not split into the PageArguments object, which is what reqcHash tested on. In addition, this functionality is not necessary anymore since site handling and therefore the code was removed in TYPO3 v10 completely. If you feel differently, let me know, so I will re-open the issue.


Also available in: Atom PDF