Bug #87917

Bot manipulated form fields lead to exception

Added by Harald Holzmann 6 days ago. Updated 2 days ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2019-03-14
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
7.3
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

Hello,

I found out that if you manipulate the hidden fields of a form, typo3 raises an error. Error message is "Uncaught TYPO3 Exception: #1320830276: A hashed string must contain at least 40 characters, the given string was only 6 characters long. | TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException thrown in file ......../htdocs/typo3_src-8.7.24/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php in line 90" or "Uncaught TYPO3 Exception: #1320830018: The given string was not appended with a valid HMAC. TYPO3\CMS\Extbase\Security\Exception\InvalidHashException thrown in file| ......./htdocs/typo3_src-8.7.24/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php in line 94".

If a bot or user manipulates for example the hidden trustedproperties field "name="tx_vayoga_contact[__trustedProperties]" or "name="tx_vayoga_contact[__referrer][@request]".

In my opinion the exception should be checked before. For example if the string is long enough or can be hmac parsed. But to be honest it spams the protocol. You cannot focus on the real issues.

What you think about it?

Kind regards,
Harald

History

#1 Updated by Georg Ringer 5 days ago

  • Description updated (diff)

#2 Updated by Georg Ringer 2 days ago

  • Status changed from New to Rejected

Thanks for creating the issue. We don't see this is problem as the exception is correct, the request must fail if the hmac is wrong.

If you have too many issues like that, try to block the bot in your firewall, waf or htaccess.

Also available in: Atom PDF