Project

General

Profile

Actions
Copy link

Bug #98264

closed

Logging "unsupported" HTTP request methods as an exception into the log is wrong

Added by S P about 2 years ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2022-09-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The class TYPO3\CMS\Core\Http\Request will log any "unsupported" HTTP method as an Exception to the logs. \InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);

Knowing this one can exploit any modern TYPO3 setup by simply doing curl -XUNKWNONMETHOD https://target-host in a "slow" loop (slow enough to not be considered a DoS) and spam everyones sys_log.

The correct way of handling an unsupported method is by answering with 501 (Not Implemented).

Discovered in v10, but still valid in current master.

Related issues 2 (1 open1 closed)

Related to TYPO3 Core - Bug #103129: Modified "Host" header with invalid port leads to exception when creating the ServerRequestFactory->fromGlobalsUnder ReviewStefan Bürk2024-02-15

Actions
Related to TYPO3 Core - Task #100718: Log entry due to unsupported HTTP methodClosed2023-04-24

Actions
Actions
Copy link

Also available in: Atom PDF