Bug #97337: Empty $trustedProperties cause a PHP warning - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (1)

Tobias Liebig

Actions

Copy link

Bug #97337

closed

Empty $trustedProperties cause a PHP warning

Added by Marc Hirdes over 2 years ago. Updated 4 months ago.

Status:

Closed

Priority:

Should have

Assignee:

Thomas Hohn

Category:

Extbase

Target version:

Candidate for patchlevel

Start date:

2022-04-08

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

7.4

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

In extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php line 144

   $trustedProperties = json_decode($serializedTrustedProperties, true);
   foreach ($trustedProperties as $propertyName => $propertyConfiguration) {

We get a PHP warning in our error log:

Core: Error handler (FE): PHP Warning: Invalid argument supplied for foreach() in typo3/sysext/extbase/Classes/Mvc/Controller/MvcPropertyMappingConfigurationService.php line 154

This fills the error log of a customer page. The page is attacked weekly, but at the moment this is the only problem.

The solution would be to provide an empty array for the foreach loop.

Related issues 1 (0 open — 1 closed)

Has duplicate TYPO3 Core - Bug #101525: foreach() argument must be of type array|object, null given in MvcPropertyMappingConfigurationService.php

Closed

2023-08-02

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Thomas Hohn over 1 year ago

Assignee set to Thomas Hohn
Target version set to Candidate for patchlevel

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002

Actions

Copy link

Updated by Thomas Hohn over 1 year ago

Hi @Marc Hirdes

We need more information about this issue.
Does it still occur?
Could the encryptionKey have been exposed - it could seem so since it has passed the various checks for if the HMAC
is valid?
How does the payload look?

You can email it to me at tho@gyldendal.dk - If you are not interested in exposing it here

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002

Actions

Copy link

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78002

Actions

Copy link

Updated by Benjamin Franzke over 1 year ago

The issue was reported against TYPO3 v10, which uses json encoded trusted properties.

TYPO3 v9 used (un)serialized content for extbase trusted properrties. This could be the reason for the invalid payload.

In combination with stuff like config.sendCacheHeaders it is likely that warning occured after the update, when a (user)cached page has been visited that contained serialized trusted properties.

Can you confirm, that the warning happened shortly after an update from TYPO3 v9 to v10 (and that you use browser caching via config.sendCacheHeaders (like for example bootstrap_package does))?

Actions

Copy link

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 68c27e1c829fb4dc04a8a6ff82028815ae6d9e83.

Actions

Copy link

#16

Updated by Benni Mack 4 months ago

Status changed from Resolved to Closed

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Bug #97337

Empty $trustedProperties cause a PHP warning

Updated by Thomas Hohn over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Thomas Hohn over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Benjamin Franzke over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Christian Kuhn over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Thomas Hohn about 1 year ago

Updated by Benni Mack 4 months ago