Bug #87105

Canonical - not "parameter-save"

Added by Christoph Werner 4 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
SEO
Target version:
-
Start date:
2018-12-07
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi!

When no canonical is set manualy, the basic canonical is not save against parameters, so if you add ?foo=bar to the URL (or any other parameter) it is added to the canonical.
When you set the canonical manualy (i.e. the site itself), it works right: no parameter is added to the canonical.
Best
Christoph

PS: the hreflangtags are set and word correctly


Related issues

Duplicates TYPO3 Core - Bug #86865: Canonical tag for pages with extension records not correct Resolved 2018-11-06

History

#1 Updated by Richard Haeser 4 months ago

Thanks for your report. This is actually a duplicate issue of #86865. So I will close this one. Please follow the other issue. Already a pending patch for that.

#2 Updated by Richard Haeser 4 months ago

  • Duplicates Bug #86865: Canonical tag for pages with extension records not correct added

#3 Updated by Richard Haeser 4 months ago

  • Status changed from New to Closed

#4 Updated by Robert Vock about 1 month ago

I do not think, this is a duplicate. I rather think, #86865 might have introduced this issue.

This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.

Example: Request to www.example.de/?test=1 leads to this canonical URL:

<link rel="canonical" href="http://www.example.de/?test=1&amp;cHash=18700f90c42831de639122ac9306972d">

Then this page is written to the cache and the next visitor also gets this canonical URL, even though he requested the page without parameters.

I do not think, this is correct. This way even some random attacks can appear in the canonical URL. We recently had requests that looked like some kind of SQL injection:

http://www.example.de/?%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,
45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45)%20--%20%20/*

All pages which previously weren't cached, now were cached with this canonical URL:

<link rel="canonical" href="http://www.example.de/?%20UNION%20SELECT%20CHAR%2845%2C120%2C49%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C50%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C51%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C52%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C53%2C45%2C81%2C45%29%20--%20%20%2F%2A&amp;cHash=95ba3e44d81be05e0e48763d8c156b71">

#5 Updated by Patrick Fiedorowicz about 1 month ago

Robert Vock wrote:

This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.

Example: Request to www.example.de/?test=1 leads to this canonical URL:
[...]

This should not be possible because a request with params but without a cHash throws a fatal exception:
"Request parameters could not be validated (&cHash empty)"

Have you set [FE][pageNotFoundOnCHashError] to false to prevent this?

#6 Updated by Robert Vock about 1 month ago

No. I only installed TYPO3 using the composer package "typo3/cms-base-distribution". Then I just run through the installation process and choose "Create empty starting page".

Then i request www.example.de/en/?test=1 and get a canonical URL with cHash

Also available in: Atom PDF