TYPO3 Core

I just found that using a non-existent language id (e.g. L=9999999999) works as well

Can you please add the relevant parts of your site configuration YAML to this ticket? Thx

Thx for sharing the configuration. Can you please describe (or add a screenshot) what "broken" means in this case. In my own tests, menu links now contain that (invalid) ?L=11111 parameter. It also only seems possible to use numeric values here, e.g. ?L=wordpress-spam did not work.

Update #1:
Checked again with the requirement "calling a non-translated page with invalid L-value". Now I see a couple of <a href="" class="dropdown-item"...> elements (empty href).

Update #2:
Dropping the filter from config.linkVars = L(int) allows arbitrary params. Not using config.linkVars at all, is fine here. Advise to use the filter is documented at https://docs.typo3.org/m/typo3/reference-typoscript/master/en-us/Setup/Config/Index.html#linkvars

→ I guess this is related to config.linkVars = L only and the link generation handling not checking valid L-parameters

Looking at it from a security point of view, it seems to be "low" (2.8-3.5):

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C/CR:X/IR:X/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X&version=3.1

The only impact is on "availability", however the service (website) is still working, just anchor tags are empty. That's why I applied the corresponding sub-score modifier.

We face that issue on typo3.com, and in there the L parameter is kept in cache. If you watch my recording, you may notice that this is the case in there as well for some links ("Home" and menu subpages).

I had this problem on a customer site last week too, which was migrated from 8.7 to 10.4.

Since the solution is to not include the L parameter in config.linkVars, is this still considered a security vulnerability or a misconfiguration issue?

Affected code: https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/Typolink/PageLinkBuilder.php#L164

I agree that this should be handled as a bugfix.

It is important to mention here that using "config.linkVars" does not fix the issue even when forcing the links vars via "config.linkVars" to be the correct ones.

Example:

Page URI: /de/test
Page URI called with empty cach to mess up the links: /de/test?L=3 (with 3 being another available language than german)

So it is possible to mess with the whole site links and get this invalid markup in the cache. And customers are getting targeted by bots calling these falsy URIs around midnight when the cache gets cleared. This breaks the pages. Only clearing the cache again is able to correct the issue.

It is important to mention here that using "config.linkVars" does not fix the issue even when forcing the links vars via "config.linkVars" to be the correct ones.

What exactly do you mean with "correct ones"? A configuration like e.g. config.linkVars = L(0-3) would still lead to the problem, since the L parameter is included in config.linkVars.

config.linkVars = L(0-3) would still lead to the problem, since the L parameter is included in config.linkVars.

Yeah this is what I said setting the linkVars correctly does not help.

Do I understand it correctly that removing the "config.linkVars" for the L parameter is considered a solution? (so for 9LTS and up we should not use the "config.linkVars" for the L parameter at all?