Bug #77338
closed
Extbase validation cache allows invalid objects
100%
Description
In the \TYPO3\CMS\Extbase\Validation\Validator\GenericObjectValidator is a cache for already validated object instances (validatedInstancesContainer).
This makes total sense but there is a big flaw in the concept: the validation results are not restored. This causes a problem in these scenarios:
Action forwarding with @ignorevalidation¶
Imagine you have a action1() and a $property1.
action1() has an @ignorevalidation annotation for $property1 and forwards to action2().
action2() has no @ignorevalidation annotation but validation errors for $property1 are still ignored because the cache in the GenericObjectValidator is not reset and the previous validation results are not loaded.
This allows the user to pass invalid data to action2().
Object relations¶
The second scenario would be the following. You have two method arguments $param1 and $param2.
$param1 has a relation to $param2 and because child objects are validated you get the proper validation errors for $param1.$param2.
But you won't get any validation errors for your $param2 controller argument because of the cache.
This is problematic in two ways:
- If
$param1has an@ignorevalidationannotation the user can submit invalid data to your action - You can not display any validation errors in your form for
$param2
My suggestion to solve this is to store the validation results in the cache as well and restore them if needed.
The problem is valid since 6.2 until current master.
Files
Updated by 
Updated by 
Updated by 
Updated by