Bug #96646
closed404 endless loop with disabled default language
0%
Description
Site configuration:
base: 'https://www.example.de'
rootPageId: '1'
errorHandling:
- errorCode: '404'
errorHandler: Page
errorContentSource: 't3://page?uid=5'
languages:
- title: Deutsch
enabled: false
languageId: 0
base: /de/
- title: English
enabled: true
languageId: 1
base: /en/
This leads to a 404 endless loop with default language calls (e.g. https://www.example.de/de/unknown).
The issue seems to be in the PageContentErrorHandler url resolver:
https://github.com/TYPO3/typo3/blob/v11.5.5/typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php#L237-L246
The "enabled" state of the default language should also be checked.
Updated by Eberhard Loh over 2 years ago
Alexander Vogt wrote:
Site configuration:
[...]This leads to a 404 endless loop with default language calls (e.g. https://www.example.de/de/unknown).
The issue seems to be in the PageContentErrorHandler url resolver:
https://github.com/TYPO3/typo3/blob/v11.5.5/typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php#L237-L246The "enabled" state of the default language should also be checked.
PageContentErrorHandler->resolveUrl ($site->getRouter()->generateUri) seems to ignore enablecolumns. This leads to a recursion causing lots of "Sleep" db-processes up to DoS. In our case caused by a hidden translation.
Updated by Oliver Hader about 2 years ago
- Status changed from New to Resolved
In general, please report security related topics (due to the denial-of-service aspect) to security@typo3.org only.
The scenario described has been addressed in v11.5.16, see https://typo3.org/security/advisory/typo3-core-sa-2022-006 for details.