Skip to content
Snippets Groups Projects
Commit e02f3d85 authored by Torben Hansen's avatar Torben Hansen Committed by Stefan Bürk
Browse files

[BUGFIX] Do not log failed HMAC validations for HashService

The new core `HashService` and the deprecated extbase `HashService`
have the function `validateAndStripHmac` to validate and strip a
given HMAC appended string. The function will throw an exception,
if the given string is either too short or the appended HMAC in the
string is not valid.

In context of a TYPO3 extension, those exceptions are usually
thrown, when a given HMAC appended string has been tampered.
Logging those exceptions to sys_log or logfiles make no sense,
since a TYPO3 site owner have no reasonable possibility to
prevent a tampered HMAC appended string being passed to the
`validateAndStripHmac` function.

This change prevents logging of four exceptions caused by potential
manipulated HMAC appended strings.

Additionally, a note has been added to extbase `HashService`, that
exception codes from that class must be removed in v14 in
`AbstractExceptionHandler::IGNORED_HMAC_EXCEPTION_CODES`.

Resolves: #103592
Releases: main, 12.4
Chang...
parent aaa9dd2a
Branches
Tags
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment