Project

General

Profile

Actions
Copy link

Bug #98264

closed

Logging "unsupported" HTTP request methods as an exception into the log is wrong

Added by S P about 2 years ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2022-09-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The class TYPO3\CMS\Core\Http\Request will log any "unsupported" HTTP method as an Exception to the logs. \InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);

Knowing this one can exploit any modern TYPO3 setup by simply doing curl -XUNKWNONMETHOD https://target-host in a "slow" loop (slow enough to not be considered a DoS) and spam everyones sys_log.

The correct way of handling an unsupported method is by answering with 501 (Not Implemented).

Discovered in v10, but still valid in current master.

Related issues 2 (1 open1 closed)

Related to TYPO3 Core - Bug #103129: Modified "Host" header with invalid port leads to exception when creating the ServerRequestFactory->fromGlobalsUnder ReviewStefan Bürk2024-02-15

Actions
Related to TYPO3 Core - Task #100718: Log entry due to unsupported HTTP methodClosed2023-04-24

Actions
Actions
Copy link
 #1

Updated by S P about 2 years ago

  • Subject changed from Logging "unspported" HTT request methods as an exception into the log is wrong to Logging "unsupported" HTTP request methods as an exception into the log is wrong
Actions
Copy link
 #2

Updated by S P about 2 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613

Actions
Copy link
 #4

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613

Actions
Copy link
 #5

Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613

Actions
Copy link
 #6

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613

Actions
Copy link
 #7

Updated by S P over 1 year ago

#100718 did fix this already.

Actions
Copy link
 #8

Updated by Stefan Bürk 7 months ago

  • Related to Bug #103129: Modified "Host" header with invalid port leads to exception when creating the ServerRequestFactory->fromGlobals added
Actions
Copy link
 #9

Updated by Markus Klein about 2 months ago

  • Status changed from Under Review to Closed
Actions
Copy link
 #10

Updated by Oliver Hader about 2 months ago

  • Related to Task #100718: Log entry due to unsupported HTTP method added
Actions
Copy link

Also available in: Atom PDF