[TYPO3-mvc] Strange caching behaviour

[Frans Saris]

Hi Helmut,

tnx for your explanation.

Giving a 404 when the cHash is incorrect is not a suitable solution.
>

> Why is it incorrect? You tried to access a resource which does not exist
under this URL.

Has something to do with a Customer and his wishes/demands :)

But I'm with you on this one after re-reading this, a 404 should be the
result. Let see if I can convince him.

gr. Frans


2014-04-21 23:57 GMT+02:00 Helmut Hummel <helmut.hummel at typo3.org>:

> Hi Frans,
>
>
> On 20.04.14 16:28, Frans Saris wrote:
>
>  Giving a 404 when the cHash is incorrect is not a suitable solution.
>>
>
> Why is it incorrect? You tried to access a resource which does not exist
> under this URL.
>
>
>  When the cHash is incorrect the parameters should be ignored.
>>
>
> There are cases where this would be more desirable.
>
> You can currently configure to "ignore" a missing or wrong cHash by
> disabling the cache.
>
> This however is a "killer setting" on high traffic sites and it will be
> mich easier to perform a DoS attack by submitting URLs with arbitrary cHash
> values.
>
> So we don't want to disable the cache, but also no 404, how can we ignore
> the paramteres?
>
> TYPO3 would need to *unset* all get parameters that are used to calculate
> the cHash. While this would be quite easy to implement, I fear that it
> would be *very hard* to track down errors. I can easily imagine pondering
> the code for hours and wondering why certain get paramters, while being in
> the URL are not passed to your plugin. :-D
>
>
> Kind regards,
> Helmut
>
> --
> Helmut Hummel
> Release Manager TYPO3 6.0
> TYPO3 Core Developer, TYPO3 Security Team Member
>
> TYPO3 .... inspiring people to share!
> Get involved: typo3.org
> _______________________________________________
> TYPO3-project-typo3v4mvc mailing list
> TYPO3-project-typo3v4mvc at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc
>