[BUGFIX] Enforce validation when no cHash is given
When no cHash is given but GET parameters are handed in
which _would_ require cHash parameters, these are now
properly evaluated during the frontend request.
As this has a security impact,
a new option called
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
is introduced, which then skips
the "requireCacheHashPresenceParameters" option.
The latter is an include list, but cache Hash
calculation should rather be based on
the exclude list such as "excludedParameters" and
"cachedParametersWhiteList".
If the new option is set, but some properties such
as tx_solr[q] should be allowed, then this needs
to be added to the excludedList ("excludedParameters")
by extension authors.
A new test "SlugSiteWithoutRequiredCHashRequestTest"
is added which works with a disabled feature
flag compared to "SlugSiteRequestTest" which
has the feature flag enabled.
Resolves: #95297
Releases: main, 11.5, 10.4
Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd23...
Showing
- typo3/sysext/core/Configuration/DefaultConfiguration.php 1 addition, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Configuration/FactoryConfiguration.php 3 additions, 0 deletionstypo3/sysext/core/Configuration/FactoryConfiguration.php
- typo3/sysext/core/Documentation/Changelog/10.4.x/Important-95297-StrictCHashValidationFeatureFlag.rst 41 additions, 0 deletions....4.x/Important-95297-StrictCHashValidationFeatureFlag.rst
- typo3/sysext/fluid/Tests/Functional/View/TemplatesPathsTest.php 5 additions, 0 deletions...sysext/fluid/Tests/Functional/View/TemplatesPathsTest.php
- typo3/sysext/fluid/Tests/Functional/ViewHelpers/Link/TypolinkViewHelperTest.php 8 additions, 0 deletions...ts/Functional/ViewHelpers/Link/TypolinkViewHelperTest.php
- typo3/sysext/fluid/Tests/Functional/ViewHelpers/Uri/TypolinkViewHelperTest.php 8 additions, 0 deletions...sts/Functional/ViewHelpers/Uri/TypolinkViewHelperTest.php
- typo3/sysext/frontend/Classes/Middleware/PageArgumentValidator.php 25 additions, 1 deletion...ext/frontend/Classes/Middleware/PageArgumentValidator.php
- typo3/sysext/frontend/Tests/Functional/Fixtures/be_users.csv 4 additions, 0 deletionstypo3/sysext/frontend/Tests/Functional/Fixtures/be_users.csv
- typo3/sysext/frontend/Tests/Functional/Rendering/TitleTagRenderingTest.php 5 additions, 0 deletions...tend/Tests/Functional/Rendering/TitleTagRenderingTest.php
- typo3/sysext/frontend/Tests/Functional/Rendering/UriPrefixRenderingTest.php 5 additions, 0 deletions...end/Tests/Functional/Rendering/UriPrefixRenderingTest.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/AbstractTestCase.php 3 additions, 1 deletion...ontend/Tests/Functional/SiteHandling/AbstractTestCase.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/SlugSiteRequestTest.php 1 addition, 0 deletions...end/Tests/Functional/SiteHandling/SlugSiteRequestTest.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/SlugSiteWithoutRequiredCHashRequestTest.php 167 additions, 0 deletions.../SiteHandling/SlugSiteWithoutRequiredCHashRequestTest.php
- typo3/sysext/redirects/Tests/Functional/Service/RedirectServiceTest.php 13 additions, 0 deletions...edirects/Tests/Functional/Service/RedirectServiceTest.php
- typo3/sysext/seo/Tests/Functional/XmlSitemap/XmlSitemapPagesTest.php 11 additions, 0 deletions...t/seo/Tests/Functional/XmlSitemap/XmlSitemapPagesTest.php
- typo3/sysext/seo/Tests/Functional/XmlSitemap/XmlSitemapPagesWithHideIfNotTranslatedTest.php 3 additions, 0 deletions...XmlSitemap/XmlSitemapPagesWithHideIfNotTranslatedTest.php
- typo3/sysext/seo/Tests/Functional/XmlSitemap/XmlSitemapRecordsTest.php 11 additions, 0 deletions...seo/Tests/Functional/XmlSitemap/XmlSitemapRecordsTest.php
- typo3/sysext/seo/Tests/Functional/XmlSitemap/XmlSitemapXslTest.php 18 additions, 1 deletion...ext/seo/Tests/Functional/XmlSitemap/XmlSitemapXslTest.php
Please register or sign in to comment