Skip to content
Snippets Groups Projects
Select Git revision
  • 12.4
  • main default
  • 11.5
  • 13.3
  • l10n_main
  • 13.1
  • 13.0
  • l10n_12.4
  • 10.4
  • 12.1
  • 9.5
  • 11.3
  • master
  • 11.1
  • TYPO3_8-7
  • 10.2
  • 9.3
  • 9.2
  • TYPO3_7-6
  • TYPO3_7-0
  • v13.3.1
  • v12.4.21
  • v11.5.40
  • v13.3.0
  • v12.4.20
  • v12.4.19
  • v12.4.18
  • v11.5.39
  • v12.4.17
  • v13.2.1
  • v13.2.0
  • v12.4.16
  • v11.5.38
  • v13.1.1
  • v12.4.15
  • v11.5.37
  • v13.1.0
  • v12.4.14
  • v12.4.13
  • v12.4.12
40 results
Search by author
  • Any Author
0 authors
  1. Feb 07, 2023
  3. Feb 06, 2023
    • Benni Mack's avatar
      [BUGFIX] Enforce validation when no cHash is given · 840f8af3
      Benni Mack authored 
      When no cHash is given but GET parameters are handed in
which _would_ require cHash parameters, these are now
properly evaluated during the frontend request.

As this has a security impact,
a new option called
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
is introduced, which then skips
the "requireCacheHashPresenceParameters" option.
The latter is an include list, but cache Hash
calculation should rather be based on
the exclude list such as "excludedParameters" and
"cachedParametersWhiteList".

If the new option is set, but some properties such
as tx_solr[q] should be allowed, then this needs
to be added to the excludedList ("excludedParameters")
by extension authors.

A new test "SlugSiteWithoutRequiredCHashRequestTest"
is added which works with a disabled feature
flag compared to "SlugSiteRequestTest" which
has the feature flag enabled.

Resolves: #95297
Releases: main, 11.5, 10.4
Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd2326
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77712


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarcore-ci <typo3@b13.com>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
      840f8af3
  5. Sep 13, 2022
  7. Aug 04, 2021
  9. Jun 16, 2021
  11. May 17, 2021
  13. Apr 15, 2020
  15. Apr 14, 2020
  17. Apr 13, 2020
  19. Dec 06, 2019
    • Benni Mack's avatar
      [TASK] Remove reqCHash functionality for plugins · f305de58
      Benni Mack authored 
      Since TYPO3 v10.0, all links generated by TYPO3 contain
a cHash if
- there are arguments that are not mapped within the routing
- there are arguments that are not explicitly "excluded" from cHash (e.g. fbclid)
- there are arguments that are not internal (L,id,MP).

The PageArgumentValidator middleware now always evaluates the
arguments properly at every request and decides to disable
caching or throw a 404, if an incoming request does not have
a cHash or an invalid cHash.

Through the middleware, any plugin is automatically checked
for the cHash, and it does not matter anymore for plugins,
so it does not matter for integrators or template authors as well
as cHash is managed internally by TYPO3 Core now (with no way
to disable it, for security reasons).

All functionality regarding cHash that can be dropped:
- CacheHashEnforcer and Extbase option
- TSFE->reqCHash() can be marked as deprecated
- the option within PiBased Plugins is now irrelevant as well.

This change jointly decouples cHash evaluation from any other
part than Url Generation (= PageRouter) and Resolver (PageArgumentValidator),
finally streamlining all logic of cHash functionality.

Resolves: #89868
Releases: master
Change-Id: I7a694fbc95fa1ea4dc85b12a94b0a06b3722fd11
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62267


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: default avatarSusanne Moog <look@susi.dev>
Tested-by: default avatarFrank Nägler <frank.naegler@typo3.org>
Reviewed-by: default avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: default avatarSusanne Moog <look@susi.dev>
Reviewed-by: default avatarDaniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: default avatarFrank Nägler <frank.naegler@typo3.org>
      f305de58
  21. Aug 06, 2019
  23. Jul 13, 2019
    • Benni Mack's avatar
      [!!!][TASK] Remove dependencies of TSFE · e50b1c1a
      Benni Mack authored 
      This patch re-arranges the TYPO3 Core internally used
middlewares for lifting off the weight of $GLOBALS['TSFE']
as Site Handling already introduced a lot of functionality
which can now be utilized further.

For this reason, the Frontend Rendering chain has
been adapted.

* If there is a "Site" + "Language" resolved, this information can
be used directly, as there are no dependencies currently.

* Frontend + Backend User Authentication works regardless
of TSFE, Frontend User is added to the Request object as
attribute to be added to TSFE later-on.

* Resolving the Page ("slug") and mapping them to Page
Arguments (URL parts + GET parameters) as well as validation
against cHash is fully decoupled from TSFE.

After that, TSFE is instantiated, which now gets all resolved
objects injected.

TSFE now only resolves the rootline against the proper permissions
(auth) and validates the final page. Once done, TypoScript is
compiled / cached.

TSFE still contains the rootline, TypoScript, and the information
about which non-cacheables are there.

RequestHandler creates or fetches cached content, but currently piped
through TSFE. This should be simplified further later-on.

Resolves: #88717
Releases: master
Change-Id: I12807455fd8b01493b2da45cf73a5c532b108cbe
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61155


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: default avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: default avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: default avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: default avatarAndreas Fernandez <a.fernandez@scripting-base.de>
      e50b1c1a
  25. Jun 26, 2019
  27. Jun 14, 2019
  29. Jun 08, 2019
  31. Jan 07, 2019
  33. Nov 05, 2018
  35. Sep 30, 2018
  37. Sep 29, 2018
    • Benni Mack's avatar
      [FEATURE] Introduce RouteEnhancers for Page-based Routing · 4844fae6
      Benni Mack authored 
      Page-based routing can now be configured within a site
configuration to add so-called "route enhancers" which
allow to add more placeholders to a route for a page.

There are three Enhancers that TYPO3 now ships with:
- SimpleEnhancer
- PluginEnhancer
- ExtbasePluginEnhancer

It is also possible to add custom enhancers by third-
party extensions.

Each placeholder within an enhancer can receive a
so-called "Aspect", usually used for mapping speaking
values instead of IDs, or month-names in an archive
link, and "modifiers" to modify a placeholder.

The simple enhancer transfers a link parameter,
previously maybe used to add a `&product=123`,
which will now result into `/product/123` for a
page. PluginEnhancer adds a namespace, common
for simple plugins or Pi-Based plugins, and
the ExtbasePluginEnhancer adds logic for multiple
route variants to be added, depending on the
controller/action combinations.

Aspects are processors / modifiers / mappers to
transfer a placeholder value back & forth to
make each placeholder value more "speaking".

TYPO3 Core ships with the following aspects:
* LocaleModifier (for localized path segments)
* StaticValueMapper (for path segments with a static list)
* StaticRangeMapper (for pagination)
* PersistedAliasMapper (for slug fields)
* PersistedPatternMapper (for database records without slug fields)

Routing now returns a so-called "PageArguments" object
which is then used for evaluating site-based URL
handling and the cHash calculation.

It is highly discouraged to access _GET or _POST
variables within any kind of code now, instead
the PSR-7 request object should be used as much
as possible.

Releases: master
Resolves: #86365
Change-Id: I77e001a5790f1ab3bce75695ef0e1615411e2bd9
Reviewed-on: https://review.typo3.org/58384


Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: default avatarSusanne Moog <susanne.moog@typo3.org>
Tested-by: default avatarSusanne Moog <susanne.moog@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
      4844fae6
  39. Sep 28, 2018