[TYPO3-dev] set_no_cache is bad. What's next?
Elmar HInz
elmar.hinz at team.MINUS.red.DOT.net
Mon Apr 2 03:05:18 CEST 2007
> Hi Elmar,
>
> in my example i enforced a never used cHash by adding a piVar t=time()
> This is not a good method, but it works to get a never used cHash.
>
You get a never used cHash. That is not the purpose of the cHash system.
You would never find the entry again, so they are useless. To find them
you would need the identical timestamp. You would only create a self made
dos attack.
> So thinking again piVars are combination of Get and Post-Vars, so may be the
> same result with
>
> $markerArray['###ACTION###']=$this->pi_linkTP_keepPIvars_url($this->piVars,1);
>
> Now we fit the combination, by calling the form with a combination we had
> before, we get the same cHash, and of coarse the same result page - am i
> right?
If I unserstand you right, you want to call the form twice.
First to select the values in the form, to send them to the server and
to create a new cHash action now ready to initialize caching on the second
call. Right? People would need to hit the save button twice. Alternatively
you could do a redirect.
That would work until the DOS attack. People can send you any manipulated
parameters on the first call. You would cache them all without limitation.
Again you would undermine the security system of cHash.
IMHO the system would only work:
1.) if you have only a limited number of selection combinations in the
form, to not blow up the DB. No free text input.
2.) if you combine it with a redirect, so that you not need to hit submit
twice.
3.) if you do a carefull security check, if the incomming parameters are
in the set of allowd values.
But I would not recommend to do so. It feels error-prone.
Regards
Elmar
More information about the TYPO3-dev
mailing list