Bug #91874
closedCached exceptions with config.contentObjectExceptionHandler
0%
Description
- config.contentObjectExceptionHandler = 1
When a content exception occurs, the exception will be catched and displayed as "Oops an error occurred." message. This message gets cached.
This enables users or bots to call a uncached plugin page with invalid action parameters and cause "Oops" messages.
E.g. a bot can call a page like "/de/news?tx_extension_newslist[action]=invalidaction" and cause a "The action "invalidaction" (controller "News") is not allowed by this plugin / module" exception. To solve this the cache has to be cleared.
Updated by Andreas Kießling about 2 years ago
Hey Alexander,
did you find any workaround for this? Bingbot seems to like one of my projects a lot and crawls with a massive amount of invalid urls / params and makes this error quite a PITA...
Update: enabling callDefaultActionIfActionCantBeResolved for my plugin seems to bypass the error - maybe this should be the default then...
Updated by Georg Ringer 6 months ago
- Status changed from New to Rejected
I am closing this issue because of the following reason:
with latest typo3 versions and strict chash validation this should not be an issue any more as attackers can not forge url parameters without running into a 404
feel free to contact me via slack or open a new issue if you don't agree