[TYPO3-dev] WARNING!?? tslib_patcher, pp_chashchecker

Elmar Hinz elmar07 at googlemail.com
Thu Aug 23 09:06:14 CEST 2007 

Hi Popy,

Popy wrote:

> No cHash means same cache than no params. If we don't check its validity
> if it is not in the url, it is a way to corrupt cache.

If you use a USER plugin, without sending cHash you make a mistake.

> 
> Example : if you look the page id=5&tx_ttnews[uid]=3 (so without cHash)
> and if the page id=5 is not already cached, the plugin will generate the
> content for the news id 3, but the content will be cached as it was the
> page id=5 !

tt_news is probably the extension, which is responsible for the biggest part
of ill caching T3 pages in the world. I would not seriously recommend to
use it without patching. Since 2004-08-04 the use of set_no_cache() is
build in for example. You find this extension as "reviewed"! IMHO it should
be excluded from TER until caching issues are fixed.

> 
> By the way, many people make USER_INT plugins because they don't take care
> of performance, or they don't want to learn how building nice links...
> 

Normally people take USER_INT to cache the page although a dynamic part is
build in. This way they increase performance a lot.

> That's why i did make this extension, wich fix a possible security
> problem, and ensure me that all my links are good (in combinaison with
> pageNotFoundOnCHashError)

That setting definitely has a bug. If you set pageNotFoundOnCHashError it
redirects if the cHash is missing. But the triggering of a cHash check is 
triggert by any USER plugin that is accidently on the the same page as the
USER_INT. 

I always will set pageNotFoundOnCHashError to 0 until that bug is fixed.

> 
> Of course, if somebody has a strong knowledge of the typo3 caching system,
> i'll be happy to find some better solutions with him / them.

The current cHash system has conceptional issues, because it assumes by
design that there is only one plugin per page. 

Unfortunatly you can't fix this issues with an XCLASS extension, because any
fix has side effects for all other extensions. A fix of the caching system
is a mayor task of the core team.


IMHO there are 2 options for a clean cHash system:

a) Only check for cHash if the cHash has been sent else deliver the default
cache.
b) Always send a cHash, but "tunnel" or "bybass" parameters for USER_INT.

Both options can be combined to:

Only check for cHash if the cHash has been sent and "tunnel" parameters for
USER_INT.

Regards

Elmar

More information about the TYPO3-dev mailing list