Project

General

Profile

Actions
Copy link

Bug #72832

closed

Requests to non-existing files in typo3/ are not handled correctly

Added by Markus Klein over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Markus Klein
Category:
System/Bootstrap/Configuration
Target version:
7.6.3
Start date:
2016-01-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Yes
Sprint Focus:

Description

For instance, Chrome tries to load a .map file for JS files, which does not exist in the Core sources.

The current situation (docroot/.htaccess and docroot/typo3/.htaccess) leads to the situation that such requests are rewritten to the typo3/index.php file, causing the full BE (or Login) to be returned instead of a 404 HTTP error.
A side effect is that a PHP session cookie (from the LoginController) is created, when only accessing the Install Tool.

The reason for that problem is that the option RewriteOptions inherit in typo3/.htaccess literally copies the rewrite rules of the parent .htaccess files into the current one. This is necessary to have TYPO3_CONTEXT and versioned asset files working.
Unfortunately the rule to block rewriting for files in typo3/ does not match in the context of typo3/.htaccess as the path to the requested file does not contain the typo3/ segment anymore, as we are in that directory already.

The only solution is to either get rid of the .htaccess file in typo3/ or to block .map files explicitly.

As a first fix we discard requests to .map.

Actions
Copy link
 #1

Updated by Markus Klein over 8 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Gerrit Code Review over 8 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46108

Actions
Copy link
 #3

Updated by Markus Klein over 8 years ago

How to test:

  1. Use Chrome
  2. Go to install tool login
  3. clear cookies (!)
  4. refresh install tool login
  5. Find the PHPSESSID cookie being set (which stems from BE Login, because Chrome requests a .map file invisibly)

With the patch no PHPSESSID cookie is set.

Or:

  1. Use any browser
  2. Logout of BE
  3. Request an arbitrary non-existing map-file in the typo3/ subdir, like http://example.com/typo3/somefile/test.map
  4. See the distorted BE login appear (with status code 200 sent)

With the patch a proper 404 status code is sent and an error message is shown.

Actions
Copy link
 #4

Updated by Gerrit Code Review about 8 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46532

Actions
Copy link
 #5

Updated by Markus Klein about 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by Riccardo De Contardi over 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF