Project

General

Profile

Actions

Feature #90134

closed

Send 400 - BAD REQUEST on invalid hmacs from extbase forms

Added by Christian Eßl about 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Extbase
Target version:
-
Start date:
2020-01-16
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

See issue #87917.
If a bot submits a faulty extbase form (like with a manipulated __trustedProperties field), usually the following uncaught exception will be thrown:

The given string was not appended with a valid HMAC

The server will then - as with any other exception - send a status 500 back, that makes it look as if an a server error occured. This also means the error will then be automatically logged with any logging tool you are using and you would have to either manually:
- block the bots that are using the form wrong
- create a rule in your logging tool to prevent those messages from flooding your logs.

I think it would be better to just send a status code "400 - BAD REQUEST" in this case. As this actually comes from a bad client request the server can't compute.


Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #87917: Bot manipulated form fields lead to exceptionRejected2019-03-14

Actions
Related to TYPO3 Core - Bug #93667: Disable logging of invalid requests due to manipulated form submissionsClosed2021-03-06

Actions
Related to TYPO3 Core - Task #97830: Do not log HMAC validation errors in contentObject exception handlerClosedTorben Hansen2022-06-29

Actions
Actions #1

Updated by Christian Eßl about 4 years ago

  • Related to Bug #87917: Bot manipulated form fields lead to exception added
Actions #2

Updated by Christian Eßl about 4 years ago

  • Description updated (diff)
Actions #3

Updated by Christian Eßl about 4 years ago

  • Subject changed from Send 404 - BAD REQUEST on invalid hmacs from extbase forms to Send 400 - BAD REQUEST on invalid hmacs from extbase forms
Actions #4

Updated by Gerrit Code Review about 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272

Actions #5

Updated by Gerrit Code Review about 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272

Actions #6

Updated by Gerrit Code Review about 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63272

Actions #7

Updated by Christian Eßl about 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #8

Updated by Benni Mack almost 4 years ago

  • Status changed from Resolved to Closed
Actions #9

Updated by Gerrit Code Review almost 4 years ago

  • Status changed from Closed to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274

Actions #10

Updated by Gerrit Code Review almost 4 years ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274

Actions #11

Updated by Gerrit Code Review almost 4 years ago

Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274

Actions #12

Updated by Gerrit Code Review almost 4 years ago

Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64274

Actions #13

Updated by Christian Eßl almost 4 years ago

  • Status changed from Under Review to Resolved
Actions #14

Updated by Benni Mack almost 4 years ago

  • Status changed from Resolved to Closed
Actions #15

Updated by Christoph Römer over 3 years ago

I am sorry to get to this issue once again... it seems like the Problem is solved but not for me. Now my Typo3-Logs are flooded with the bad requests-Exception instead... so nothing is won. I am running several Typo3 9.5.20 Sites on a Mittwald-Server and some of them throwing this Exception 200 times a day - wich is a littel bit annoying as you can imagine.
For Example:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /html/typo3/typo3_src-9.5.20/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 136. Requested URL: https://www.esther-muench.de/startseite?tx_powermail_pi1%%5Baction%%5D=confirmation&tx_powermail_pi1%%5Bcontroller%%5D=Form&cHash=d6af9e27348305de23590d3dc3af1c30

So I am looking for Help since a few years now (I am not competent enough to solve it by my self I must admit)...

Actions #16

Updated by Martin R. Krause over 3 years ago

This issue is NOT resolved. Now we have a different exception - BadRequestException - but it still floods the TYPO3 log. There is no option to prevent this.

Actions #17

Updated by varioous OG over 3 years ago

  • Status changed from Closed to New

Hi,
in Version 10.4.6 still no changes. Always find messages like that in the Protocol:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /xxxxxxxxx/htdocs/public/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 142. Requested URL: xxxxxxxxx/kontakt?tx_vayoga_contact%%5Baction%%5D=index&tx_vayoga_contact%%5Bcontroller%%5D=Contact&cHash=1af7168931cf44716b07b683ad913967

Thanks and kind regards,
various

Actions #18

Updated by Anonymous over 3 years ago

I am wondering, why the following try-catch emits its own message - instead of just reusing the original messages of the exceptions it catches?

https://github.com/TYPO3/TYPO3.CMS/commit/f553d918cb69eb9dc525cad689ce44c08e9b5f43#diff-2f30e714393f41c4befdde4343f5e7a7R136

 try {
            $serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken);
        } catch (InvalidHashException | InvalidArgumentForHashGenerationException $e) {
            throw new BadRequestException('The HMAC of the form could not be validated.', 1581862822);
        }

This would help debugging on production systems a lot. Bugfix?

Actions #19

Updated by Alexander Rotzsch about 3 years ago

I can confirm this for 9.5.22. We have about 10-40 of those entries per day! Not only the logs get flooded, it's also hard to spot real error-logs that are lurking inbetween. A solution would be appreciated. ;) Example:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1581862822: The HMAC of the form could not be validated. | TYPO3\CMS\Core\Error\Http\BadRequestException thrown in file /var/www/typo3/public/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php in line 136. Requested URL: https://www.exampledomain.com/unternehmen/kontakt?tx_powermail_pi1%%5Baction%%5D=create&tx_powermail_pi1%%5Bcontroller%%5D=Form&cHash=3e78aed6aa31a247482c8cbe29b17a11

Actions #20

Updated by Mike Street about 3 years ago

Would like to echo the above comments - if this error is triggered by TYPO3 evaluating the user as "spam", I don't see why it needs to fill the `typo3_XXX` log up, especially with such verbose information and an `alert` status.

Apologies if I have misunderstood, but my impression is that nothing can be done with this error as a site maintainer? If that is the case it would be good to at least have the option of disabling this error.

I get the following with 9.5.24:


Mon, 08 Feb 2021 11:12:20 +0000 [ALERT] request="b21030be741ad" component="TYPO3.CMS.Frontend.ContentObject.Exception.ProductionExceptionHandler": Oops, an error occurred! Code: 202102081112203a990003 - {"exception":"TYPO3\\CMS\\Core\\Error\\Http\\BadRequestException: The HMAC of the form could not be validated. in /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php:136
Stack trace:
#0 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php(155): TYPO3\\CMS\\Extbase\\Mvc\\Controller\\MvcPropertyMappingConfigurationService->initializePropertyMappingConfigurationFromRequest(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Controller\\Arguments))
#1 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Dispatcher.php(73): TYPO3\\CMS\\Extbase\\Mvc\\Controller\\ActionController->processRequest(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Response))
#2 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Mvc/Web/FrontendRequestHandler.php(92): TYPO3\\CMS\\Extbase\\Mvc\\Dispatcher->dispatch(Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request), Object(TYPO3\\CMS\\Extbase\\Mvc\\Web\\Response))
#3 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Core/Bootstrap.php(172): TYPO3\\CMS\\Extbase\\Mvc\\Web\\FrontendRequestHandler->handleRequest()
#4 /usr/local/share/typo3/9.5/typo3/sysext/extbase/Classes/Core/Bootstrap.php(159): TYPO3\\CMS\\Extbase\\Core\\Bootstrap->handleRequest()
#5 [internal function]: TYPO3\\CMS\\Extbase\\Core\\Bootstrap->run('', Array)
....
Actions #21

Updated by Torben Hansen almost 3 years ago

  • Related to Bug #93667: Disable logging of invalid requests due to manipulated form submissions added
Actions #22

Updated by Christoph Römer almost 3 years ago

Apologies if I have misunderstood, but my impression is that nothing can be done with this error as a site maintainer? If that is the case it would be good to at least have the option of disabling this error.

THANK YOU! I am dealing with this for several years now... nothing happens. VERRY disappointing. Up to 100 "Errors" a day...
Is there ANYTHING going on to solve that S&#=&t?

Actions #23

Updated by Torben Hansen almost 3 years ago

There is an open patch ready for test and review: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68196

Actions #24

Updated by Torben Hansen almost 3 years ago

Patch has been merged to master and v10, so I think this issue can be closed

Actions #25

Updated by Riccardo De Contardi almost 3 years ago

  • Status changed from New to Closed

I close this issue for now; if you think that this is the wrong decision or experience the issue again please reopen it or ping me and I'll do.

Thank you.

Actions #26

Updated by Christian Wellinghorst over 2 years ago

  • Status changed from Closed to New

IMHO this problem still exists - the Exception 'The HMAC of the form could not be validated.' (Code 1581862822) is still logged for us WHEN IN PRODUCTION CONTEXT (note that this does NOT happen - at least in our tests until now - when in Development Context).

The reason is obviously that the exception gets caught by TYPO3\CMS\Frontend\ContentObject\Exception\ProductionExceptionHandler which also causes the log entry to be written. So basically: the fix does not seem to apply as soon as Production context is active. The only way we could find to work around this for now was to add the exception code to the list of ignored codes as per this site: https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/7.0/Feature-47919-CatchContentRenderingExceptions.html

Edit: Sorry, forgot to mention - this behavior occurs in Typo3 10.4.21 for us, not testet in v9 or v11

Actions #27

Updated by Mohamed Masmoudi over 1 year ago

I'm still have the same issue in the production context, Typo3 v11.

component="TYPO3.CMS.Frontend.ContentObject.Exception.ProductionExceptionHandler": Oops, an error occurred! Code: 20220616140959da0cf9eb- BadRequestException: The HMAC of the form could not be validated., in file /html/typo3/web/typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php:142 - {"exception":"TYPO3\\CMS\\Core\\Error\\Http\\BadRequestException: The HMAC of the form could not be validated.
Actions #28

Updated by Torben Hansen over 1 year ago

  • Related to Task #97830: Do not log HMAC validation errors in contentObject exception handler added
Actions #29

Updated by Torben Hansen over 1 year ago

  • Status changed from New to Closed

The patch merged with #97830 (for v11.5 and main) now also prevents logging of failed HMAC validations for ProductionExceptionHandler. I'll close this ticket again.

Actions

Also available in: Atom PDF