[BUGFIX] Do not log failed HMAC validations for HashService

The new core `HashService` and the deprecated extbase `HashService` have the function `validateAndStripHmac` to validate and strip a given HMAC appended string. The function will throw an exception, if the given string is either too short or the appended HMAC in the string is not valid. In context of a TYPO3 extension, those exceptions are usually thrown, when a given HMAC appended string has been tampered. Logging those exceptions to sys_log or logfiles make no sense, since a TYPO3 site owner have no reasonable possibility to prevent a tampered HMAC appended string being passed to the `validateAndStripHmac` function. This change prevents logging of four exceptions caused by potential manipulated HMAC appended strings. Additionally, a note has been added to extbase `HashService`, that exception codes from that class must be removed in v14 in `AbstractExceptionHandler::IGNORED_HMAC_EXCEPTION_CODES`. Resolves: #103592 Releases: main, 12.4 Change-Id: I2870db815f3348cac2465b1caca711f4736f16db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83833 Reviewed-by: Torben Hansen <derhansen@gmail.com> Tested-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Tested-by: core-ci <typo3@b13.com> Tested-by: Torben Hansen <derhansen@gmail.com>

[BUGFIX] Do not log failed HMAC validations for HashService
The new core `HashService` and the deprecated extbase `HashService` have the function `validateAndStripHmac` to validate and strip a given HMAC appended string. The function will throw an exception, if the given string is either too short or the appended HMAC in the string is not valid. In context of a TYPO3 extension, those exceptions are usually thrown, when a given HMAC appended string has been tampered. Logging those exceptions to sys_log or logfiles make no sense, since a TYPO3 site owner have no reasonable possibility to prevent a tampered HMAC appended string being passed to the `validateAndStripHmac` function. This change prevents logging of four exceptions caused by potential manipulated HMAC appended strings. Additionally, a note has been added to extbase `HashService`, that exception codes from that class must be removed in v14 in `AbstractExceptionHandler::IGNORED_HMAC_EXCEPTION_CODES`. Resolves: #103592 Releases: main, 12.4 Change-Id: I2870db815f3348cac2465b1caca711f4736f16db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83833 Reviewed-by: Torben Hansen <derhansen@gmail.com> Tested-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Tested-by: core-ci <typo3@b13.com> Tested-by: Torben Hansen <derhansen@gmail.com>
e02f3d85 · Torben Hansen · Stefan Bürk · aaa9dd2a · e02f3d85
Commit e02f3d85 authored 11 months ago by Torben Hansen Committed by Stefan Bürk 11 months ago
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -53,6 +53,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
    public const IGNORED_HMAC_EXCEPTION_CODES = [
        1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
        1581862823, // Failed HMAC validation due to modified form state in ext:forms
+        1320830018, // Failed HMAC validation due to modified HMAC string in Extbase HashService
+        1320830276, // Failed HMAC validation due to too short HMAC string in Extbase HashService
    ];

    /**