[TYPO3-dev] WARNING!?? tslib_patcher, pp_chashchecker
Popy
popy.dev at gmail.com
Thu Aug 23 10:17:57 CEST 2007
2007/8/23, Elmar Hinz <elmar07 at googlemail.com>:
>
> Hi Popy,
>
> Popy wrote:
>
> > No cHash means same cache than no params. If we don't check its validity
> > if it is not in the url, it is a way to corrupt cache.
>
> If you use a USER plugin, without sending cHash you make a mistake.
And if a malicious user remove the cHash from the url ? I know my work, all
my cHashes are corrects
>
> > Example : if you look the page id=5&tx_ttnews[uid]=3 (so without cHash)
> > and if the page id=5 is not already cached, the plugin will generate the
> > content for the news id 3, but the content will be cached as it was the
> > page id=5 !
>
> tt_news is probably the extension, which is responsible for the biggest
> part
> of ill caching T3 pages in the world. I would not seriously recommend to
> use it without patching. Since 2004-08-04 the use of set_no_cache() is
> build in for example. You find this extension as "reviewed"! IMHO it
> should
> be excluded from TER until caching issues are fixed.
It was just an example...
>
> > That's why i did make this extension, wich fix a possible security
> > problem, and ensure me that all my links are good (in combinaison with
> > pageNotFoundOnCHashError)
>
> That setting definitely has a bug. If you set pageNotFoundOnCHashError it
> redirects if the cHash is missing.
No, of course no. Only if the cHash is wrong or if no cHash is set and a
plugin calls "TSFE->reqCHash".
IMHO there are 2 options for a clean cHash system:
>
> a) Only check for cHash if the cHash has been sent else deliver the
> default
> cache.
> b) Always send a cHash, but "tunnel" or "bybass" parameters for USER_INT.
+1 for the "tunnel", and i'm ready to help core team (if they need)
--
Popy
Vulnerant omnes, ultima necat.
http://popy.sytes.net
More information about the TYPO3-dev
mailing list