Project

General

Profile

Actions

Bug #87917

closed

Bot manipulated form fields lead to exception

Added by Harald Holzmann over 5 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2019-03-14
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.3
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

Hello,

I found out that if you manipulate the hidden fields of a form, typo3 raises an error. Error message is "Uncaught TYPO3 Exception: #1320830276: A hashed string must contain at least 40 characters, the given string was only 6 characters long. | TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException thrown in file ......../htdocs/typo3_src-8.7.24/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php in line 90" or "Uncaught TYPO3 Exception: #1320830018: The given string was not appended with a valid HMAC. TYPO3\CMS\Extbase\Security\Exception\InvalidHashException thrown in file| ......./htdocs/typo3_src-8.7.24/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php in line 94".

If a bot or user manipulates for example the hidden trustedproperties field "name="tx_vayoga_contact[__trustedProperties]" or "name="tx_vayoga_contact[__referrer][@request]".

In my opinion the exception should be checked before. For example if the string is long enough or can be hmac parsed. But to be honest it spams the protocol. You cannot focus on the real issues.

What you think about it?

Kind regards,
Harald


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #90134: Send 400 - BAD REQUEST on invalid hmacs from extbase formsClosed2020-01-16

Actions
Related to TYPO3 Core - Bug #93667: Disable logging of invalid requests due to manipulated form submissionsClosed2021-03-06

Actions
Actions

Also available in: Atom PDF