[BUGFIX] Enforce validation when no cHash is given (434c4fde) · Commits · TYPO3 / TYPO3.CMS

Commit 434c4fde authored 2 years ago by

Benni Mack Committed by Oliver Hader 2 years ago

[BUGFIX] Enforce validation when no cHash is given

When no cHash is given but GET parameters are handed in
which _would_ require cHash parameters, these are now
properly evaluated during the frontend request.

As this has a security impact,
a new option called
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
is introduced, which then skips
the "requireCacheHashPresenceParameters" option.
The latter is an include list, but cache Hash
calculation should rather be based on
the exclude list such as "excludedParameters" and
"cachedParametersWhiteList".

If the new option is set, but some properties such
as tx_solr[q] should be allowed, then this needs
to be added to the excludedList ("excludedParameters")
by extension authors.

A new test "SlugSiteWithoutRequiredCHashRequestTest"
is added which works with a disabled feature
flag compared to "SlugSiteRequestTest" which
has the feature flag enabled.

Resolves: #95297
Releases: main, 11.5, 10.4
Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd2326
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77206


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>

parent 2c345739

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 330 additions and 3 deletions

Please register or to comment