Bug #72832
closedRequests to non-existing files in typo3/ are not handled correctly
100%
Description
For instance, Chrome tries to load a .map file for JS files, which does not exist in the Core sources.
The current situation (docroot/.htaccess and docroot/typo3/.htaccess) leads to the situation that such requests are rewritten to the typo3/index.php file, causing the full BE (or Login) to be returned instead of a 404 HTTP error.
A side effect is that a PHP session cookie (from the LoginController) is created, when only accessing the Install Tool.
The reason for that problem is that the option RewriteOptions inherit
in typo3/.htaccess literally copies the rewrite rules of the parent .htaccess files into the current one. This is necessary to have TYPO3_CONTEXT and versioned asset files working.
Unfortunately the rule to block rewriting for files in typo3/ does not match in the context of typo3/.htaccess as the path to the requested file does not contain the typo3/ segment anymore, as we are in that directory already.
The only solution is to either get rid of the .htaccess file in typo3/ or to block .map files explicitly.
As a first fix we discard requests to .map.
Updated by Gerrit Code Review over 8 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46108
Updated by Markus Klein over 8 years ago
How to test:
- Use Chrome
- Go to install tool login
- clear cookies (!)
- refresh install tool login
- Find the PHPSESSID cookie being set (which stems from BE Login, because Chrome requests a .map file invisibly)
With the patch no PHPSESSID cookie is set.
Or:
- Use any browser
- Logout of BE
- Request an arbitrary non-existing map-file in the typo3/ subdir, like http://example.com/typo3/somefile/test.map
- See the distorted BE login appear (with status code 200 sent)
With the patch a proper 404 status code is sent and an error message is shown.
Updated by Gerrit Code Review over 8 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46532
Updated by Markus Klein over 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 3221f1b7fbddb323fce00861f00bff95c62affdc.
Updated by Riccardo De Contardi almost 7 years ago
- Status changed from Resolved to Closed