From e02f3d8588167c29d09381dbb48c045bed5ccd1f Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Fri, 12 Apr 2024 14:31:11 +0200
Subject: [PATCH] [BUGFIX] Do not log failed HMAC validations for HashService
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The new core `HashService` and the deprecated extbase `HashService`
have the function `validateAndStripHmac` to validate and strip a
given HMAC appended string. The function will throw an exception,
if the given string is either too short or the appended HMAC in the
string is not valid.

In context of a TYPO3 extension, those exceptions are usually
thrown, when a given HMAC appended string has been tampered.
Logging those exceptions to sys_log or logfiles make no sense,
since a TYPO3 site owner have no reasonable possibility to
prevent a tampered HMAC appended string being passed to the
`validateAndStripHmac` function.

This change prevents logging of four exceptions caused by potential
manipulated HMAC appended strings.

Additionally, a note has been added to extbase `HashService`, that
exception codes from that class must be removed in v14 in
`AbstractExceptionHandler::IGNORED_HMAC_EXCEPTION_CODES`.

Resolves: #103592
Releases: main, 12.4
Change-Id: I2870db815f3348cac2465b1caca711f4736f16db
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83833
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Stefan BÃ¼rk <stefan@buerk.tech>
Reviewed-by: Stefan BÃ¼rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Torben Hansen <derhansen@gmail.com>
---
 typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
index 7ab61b64d9de..620823e54e91 100644
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -53,6 +53,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
     public const IGNORED_HMAC_EXCEPTION_CODES = [
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
         1581862823, // Failed HMAC validation due to modified form state in ext:forms
+        1320830018, // Failed HMAC validation due to modified HMAC string in Extbase HashService
+        1320830276, // Failed HMAC validation due to too short HMAC string in Extbase HashService
     ];
 
     /**
-- 
GitLab