Project

General

Profile

Actions

Bug #96646

closed

404 endless loop with disabled default language

Added by Alexander Vogt over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Site Handling, Site Sets & Routing
Target version:
-
Start date:
2022-01-26
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
public-security-issue
Complexity:
Is Regression:
Sprint Focus:

Description

Site configuration:

base: 'https://www.example.de'
rootPageId: '1'
errorHandling:
  - errorCode: '404'
    errorHandler: Page
    errorContentSource: 't3://page?uid=5'
languages:
  - title: Deutsch
    enabled: false
    languageId: 0
    base: /de/
  - title: English
    enabled: true
    languageId: 1
    base: /en/

This leads to a 404 endless loop with default language calls (e.g. https://www.example.de/de/unknown).

The issue seems to be in the PageContentErrorHandler url resolver:
https://github.com/TYPO3/typo3/blob/v11.5.5/typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php#L237-L246

The "enabled" state of the default language should also be checked.

Actions #1

Updated by Eberhard Loh about 2 years ago

Alexander Vogt wrote:

Site configuration:
[...]

This leads to a 404 endless loop with default language calls (e.g. https://www.example.de/de/unknown).

The issue seems to be in the PageContentErrorHandler url resolver:
https://github.com/TYPO3/typo3/blob/v11.5.5/typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php#L237-L246

The "enabled" state of the default language should also be checked.

PageContentErrorHandler->resolveUrl ($site->getRouter()->generateUri) seems to ignore enablecolumns. This leads to a recursion causing lots of "Sleep" db-processes up to DoS. In our case caused by a hidden translation.

Actions #2

Updated by Oliver Hader almost 2 years ago

  • Status changed from New to Resolved

In general, please report security related topics (due to the denial-of-service aspect) to only.

The scenario described has been addressed in v11.5.16, see https://typo3.org/security/advisory/typo3-core-sa-2022-006 for details.

Actions #4

Updated by Oliver Hader almost 2 years ago

  • Tags set to public-security-issue
Actions #5

Updated by Benni Mack almost 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF