Bug #87105
closed
Canonical - not "parameter-save"
Added by Christoph Werner over 5 years ago. Updated over 1 year ago.
0%
Description
Hi!
When no canonical is set manualy, the basic canonical is not save against parameters, so if you add ?foo=bar to the URL (or any other parameter) it is added to the canonical.
When you set the canonical manualy (i.e. the site itself), it works right: no parameter is added to the canonical.
Best
Christoph
PS: the hreflangtags are set and word correctly
Updated by Richard Haeser over 5 years ago
Thanks for your report. This is actually a duplicate issue of #86865. So I will close this one. Please follow the other issue. Already a pending patch for that.
Updated by Richard Haeser over 5 years ago
- Is duplicate of Bug #86865: Canonical tag for pages with extension records not correct added
Updated by Robert Vock about 5 years ago
I do not think, this is a duplicate. I rather think, #86865 might have introduced this issue.
This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.
Example: Request to www.example.de/?test=1 leads to this canonical URL:
<link rel="canonical" href="http://www.example.de/?test=1&cHash=18700f90c42831de639122ac9306972d">
Then this page is written to the cache and the next visitor also gets this canonical URL, even though he requested the page without parameters.
I do not think, this is correct. This way even some random attacks can appear in the canonical URL. We recently had requests that looked like some kind of SQL injection:
http://www.example.de/?%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51, 45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45)%20--%20%20/*
All pages which previously weren't cached, now were cached with this canonical URL:
<link rel="canonical" href="http://www.example.de/?%20UNION%20SELECT%20CHAR%2845%2C120%2C49%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C50%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C51%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C52%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C53%2C45%2C81%2C45%29%20--%20%20%2F%2A&cHash=95ba3e44d81be05e0e48763d8c156b71">
Updated by Patrick Fiedorowicz about 5 years ago
Robert Vock wrote:
This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.
Example: Request to www.example.de/?test=1 leads to this canonical URL:
[...]
This should not be possible because a request with params but without a cHash throws a fatal exception:
"Request parameters could not be validated (&cHash empty)"
Have you set [FE][pageNotFoundOnCHashError] to false to prevent this?
Updated by Robert Vock about 5 years ago
No. I only installed TYPO3 using the composer package "typo3/cms-base-distribution". Then I just run through the installation process and choose "Create empty starting page".
Then i request www.example.de/en/?test=1 and get a canonical URL with cHash
Updated by Peter Linzenkirchner over 4 years ago
Please reopen this bug - it is not fixed yet. I tried with TYPO3 9.5.10 and Introduction package:
[FE][pageNotFoundOnCHashError] = 1
Try:
- clear cache
- http://typo39lts.local/content-examples/text/rich-text?foo=bar
- Canonical:
<link rel="canonical" href="http://typo39lts.local/content-examples/text/rich-text?foo=bar&cHash=b53b88bf0f73e07d8f41d0c1b9fda120"/> - check in other browser: http://typo39lts.local/content-examples/text/rich-text (without parameter)
<link rel="canonical" href="http://typo39lts.local/content-examples/text/rich-text?foo=bar&cHash=b53b88bf0f73e07d8f41d0c1b9fda120"/>
that means the page is cached with wrong canonical.
Try again:
- clear cache
- http://typo39lts.local/content-examples/text/rich-text?foo=bar&cHash=mywrongchash
- get 404 chash error
Result:
- [FE][pageNotFoundOnCHashError] only throws an error when the value is wrong not when it is empty
- the canonicals are broken.
Updated by Wolfgang Klinger over 4 years ago
As long as this is not fixed, you can use my extension here:
https://github.com/wazum/seo-canonical-guard
Updated by Lukas Hausammann over 1 year ago
It seems that this bug still exists in TYPO3 version 10 and 11. Is there anything new here, what does it take to finally solve this?
Fortunately, the extension "seo-canonical-guard" by Wolfgang Klinger still seems to work in TYPO3 version 10. I have not yet tried TYPO3 11.
Updated by Christoph Werner over 1 year ago
Lukas Hausammann wrote in #note-9:
It seems that this bug still exists in TYPO3 version 10 and 11. Is there anything new here, what does it take to finally solve this?
Fortunately, the extension "seo-canonical-guard" by Wolfgang Klinger still seems to work in TYPO3 version 10. I have not yet tried TYPO3 11.
Hi Lukas,
use https://extensions.typo3.org/extension/trusted_url_params für TYPO3 10/11
Final corefix should be implemented in Version 12.
Best,
Christoph