[TYPO3-dev] cHash revisited
Elmar Hinz
elmar.DOT.hinz at team.MINUS.red.DOT.net
Thu Apr 6 12:42:45 CEST 2006
Martin Kutschker schrieb:
>> if (count($this->piVars)) {
>
>
> But only if the developer sets $pi_checkCHash which makes onyl sense for
> USER objects.
>
If we strip them, the setting of the developer is irrelevant. ;-)
> If you do it always then also USER_INTs are affected. Don't check for
Yes, but only if a cHash is sent at all, wich usually shouldn't be the
case. If it happens that doesn't matter because USER_INTs are never cached.
> $pi_USER_INT_obj which now is used only for linking options!
>
> Anyway, I have a couple of INTs that should be cached without cHash. So
> don't fiddle with this setting.
The typical prerequest to blow up your database with a large number of
calls with random parameters. Isn't it time to fix this security hole?
Regards
Elmar
More information about the TYPO3-dev
mailing list