Bug #95297
closedcHash not enforced for Extbase actions anymore
100%
Description
TYPO3 8.5 introduced a new behaviour.
URIs to Extbase actions now need a valid cHash per default. This is required for both cached and uncached actions
Calling a link to an extbase-action without cHash would lead to an exception.
Now in v10 it looks like this behaviour is not anymore.
Issue¶
Opening a link to an extbase-action without chash just works.
Expected behaviour¶
Opening a link to an extbase-action without chash should fail.
Example URL¶
Possible cause¶
Here changed a lot. Not only things got deprecated.
CacheHashEnforce was removed in favor of handling in PageArgumentValidator middleware.
It looks like, that "dynamic" extbase-action-arguments were not considered in this changeset. Now CacheHashCalculator don't know them and therefore they are not enforced anymore.
Hotfix / quickfix¶
Add params manually to requireCacheHashPresenceParameters.
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['requireCacheHashPresenceParameters'] = [
'^tx_fooext_fooplugin',
];
Real fix suggestion¶
Either populate requireCacheHashPresenceParameters dynamically or use another way to enforce cHash for Extbase actions again.