Project

General

Profile

Actions

Bug #91874

closed

Cached exceptions with config.contentObjectExceptionHandler

Added by Alexander Vogt over 4 years ago. Updated 6 months ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Caching
Target version:
-
Start date:
2020-07-27
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Prerequisites:
  • config.contentObjectExceptionHandler = 1

When a content exception occurs, the exception will be catched and displayed as "Oops an error occurred." message. This message gets cached.

This enables users or bots to call a uncached plugin page with invalid action parameters and cause "Oops" messages.
E.g. a bot can call a page like "/de/news?tx_extension_newslist[action]=invalidaction" and cause a "The action "invalidaction" (controller "News") is not allowed by this plugin / module" exception. To solve this the cache has to be cleared.

Actions #1

Updated by Andreas Kießling about 2 years ago

Hey Alexander,

did you find any workaround for this? Bingbot seems to like one of my projects a lot and crawls with a massive amount of invalid urls / params and makes this error quite a PITA...

Update: enabling callDefaultActionIfActionCantBeResolved for my plugin seems to bypass the error - maybe this should be the default then...

Actions #2

Updated by Georg Ringer 6 months ago

  • Status changed from New to Rejected

I am closing this issue because of the following reason:

with latest typo3 versions and strict chash validation this should not be an issue any more as attackers can not forge url parameters without running into a 404

feel free to contact me via slack or open a new issue if you don't agree

Actions

Also available in: Atom PDF