-
Benni Mack authored
When no cHash is given but GET parameters are handed in which _would_ require cHash parameters, these are now properly evaluated during the frontend request. As this has a security impact, a new option called $GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation'] is introduced, which then skips the "requireCacheHashPresenceParameters" option. The latter is an include list, but cache Hash calculation should rather be based on the exclude list such as "excludedParameters" and "cachedParametersWhiteList". If the new option is set, but some properties such as tx_solr[q] should be allowed, then this needs to be added to the excludedList ("excludedParameters") by extension authors. A new test "SlugSiteWithoutRequiredCHashRequestTest" is added which works with a disabled feature flag compared to "SlugSiteRequestTest" which has the feature flag enabled. Resolves: #95297 Releases: main, 11.5, 10.4 Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd2326 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77712 Tested-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
840f8af3
