Bug #98264
openLogging "unsupported" HTTP request methods as an exception into the log is wrong
0%
Description
The class TYPO3\CMS\Core\Http\Request
will log any "unsupported" HTTP method as an Exception to the logs. \InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);
Knowing this one can exploit any modern TYPO3 setup by simply doing curl -XUNKWNONMETHOD https://target-host
in a "slow" loop (slow enough to not be considered a DoS) and spam everyones sys_log
.
The correct way of handling an unsupported method is by answering with 501 (Not Implemented)
.
Discovered in v10, but still valid in current master.
Updated by Stefan P almost 2 years ago
- Subject changed from Logging "unspported" HTT request methods as an exception into the log is wrong to Logging "unsupported" HTTP request methods as an exception into the log is wrong
Updated by Gerrit Code Review almost 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review almost 2 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review almost 2 years ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review about 1 year ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Stefan Bürk 2 months ago
- Related to Bug #103129: Modified "Host" header with invalid port leads to exception when creating the ServerRequestFactory->fromGlobals added