Bug #78102
closed
Incorrect cHash generation may cause 404 on any page
100%
Description
10 = TEXT
10 {
typolink {
parameter.data = TSFE:id
additionalParams = &L=0&=
useCacheHash = 1
}
}
The code above creates a URL like /index.php?id=1&L=0&=&cHash=b977c84f0882a3a7c08999d2cf997eda. When going to that URL, a 404 is thrown because cHash comparison failed.
Reason: in PHP parameter with empty name does not appear in $_GET. Therefore cHash calculation will always fail. However CacheHashCalculator will not exclude such parameter from relevant parameters.
Yes, I know, it is stupid to create such URLs. However this happens in the wild and customers get very angry when they suddenly see 404s. Fortunately, it is easy to fix.
Mind that such URLs can also be created by badly coded extensions, not only by using TypoScript. So it is definitely makes sense that CacheHashCalculator takes $_GET behavior into account and removes that empty parameter from cHash calculation.
TYPO3 version is set to 6.2 but this also happens in 7.6 and 8.3.
Updated by Dmitry Dulepov over 7 years ago
Interestingly, if cHashIncludePageId is false, there can be many links with the same cHash. Here is a dump from the live db:
+------+---------+-----------------------------------------------------------+ | uid | page_id | original_url | +------+---------+-----------------------------------------------------------+ | 1837 | 187 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=187 | | 1910 | 187 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=187&type=98 | | 1151 | 276 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=276 | | 2104 | 276 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=276&type=98 | | 1712 | 494 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=494 | | 1897 | 507 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=507 | | 2070 | 507 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=507&type=98 | | 1715 | 543 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=543 | | 1944 | 543 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=543&type=98 | | 1150 | 544 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=544 | | 2190 | 544 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=544&type=98 | | 1710 | 557 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=557 | | 2103 | 557 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=557&type=98 | | 1870 | 574 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=574 | | 2139 | 574 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=574&type=98 | | 1879 | 653 | L=0&cHash=ec77b708dfb5aae6ca49e57208389a60&id=653 | +------+---------+-----------------------------------------------------------+
Updated by Gerrit Code Review over 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50059
Updated by Gerrit Code Review over 7 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50059
Updated by Gerrit Code Review over 7 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50070
Updated by Dmitry Dulepov over 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 88c723128fb1911455f8eed7de9e202c4fab8897.
Updated by Gerrit Code Review over 7 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50072
Updated by Dmitry Dulepov over 7 years ago
- Status changed from Under Review to Resolved
Applied in changeset 0aa80a65df3a78e3f6e658210065722c1798386d.
Updated by