[TYPO3-core] RFC: #12376: typo3temp got filled with thousands of javascript_* files

Sun Oct 3 03:04:57 CEST 2010

Hi,

It seems that this bug have not made much progress, even though it's 
really nasty.

I have seen an installation with ~1.8 million JS files (after 
configuring the menu correctly it generated 2 files) for a TMENU_LAYERS 
menu. All files had the same content, and the reason was a missing 
configuration "layer_menu_id". In the TSRef this configuration is not 
mandatory, but without it, the typo3temp folder will get flooded.

Attached is a version 4 of the patch made by Mittwald (see the bug 
tracker for a history of work on the bug). All I did was making the code 
CGL, and review it at the same time. So +1 from me.

Please, let's get this nasty, yet simple bug solved.

It should go into 4.3, 4.4 and trunk, and should apply to all with an 
offset.

[BT reference] http://bugs.typo3.org/view.php?id=12376

- Lars

Georg Ringer wrote:
> Hi,
>
> This is an SVN patch request.
>
> Type: bugfix
>
> Bugtracker reference:
> http://bugs.typo3.org/view.php?id=12376
>
> Branches: trunk, 4.2, 4.1
>
> Problem:
> If you use "GMENU_LAYERS / TMENU_LAYERS" without a specific
> "layer_menu_id" then your typo3temp will be filled continously with
> javascript_* files.
>
> The unique filename is created with a string md5(microtime()).
> (Actually it's *intended* to be unique.)
> md5(microtime()) can create millions of different filenames causing
> typo3temp to be filled more and more.
>
> Problems with temporary files with unique filenames are also mentioned
> in Bug 0012375 (http://bugs.typo3.org/view.php?id=12375)
> This bug can also show DoS-like behaviour.
>
> A better fix should use a system wide (system=TYPO3) class-function
> especially written for purposes like this.
>
> Additional information - How to reproduce:
> 1.) Delete temp js files in typo3temp
> 2.) Create a Layer_menu with a code like this
> -------------
> page.20 = HMENU
> page.20 {
>      1 = TMENU_LAYERS
>      1 {
>        wrap=<table border="0" cellspacing="0" cellpadding="0">|</table>
>        layerStyle = position:absolute;VISIBILITY:hidden;border: 1px solid
> #CCCCCC; background: #ffffff;
>
>        lockPosition = y
>        hideMenuWhenNotOver = 1
>        hideMenuTimer=250
>        expAll=1
>        leftOffset = 0
>        topOffset =22
>        relativeToTriggerItem = 1
>
>        NO {	
>          allWrap=<td>|</td>
>          ATagParams = class = "menue"
>        }
>      }
>
>      2 = TMENU
>      2.NO {
>        ATagParams = class = "menue1"
>        allWrap=|<br>
>      }
> }
> -----------
>
> 3.) click around and look at the typo3temp/ it will get larger with
> every click.
>
>
> Solution:
> The applied patch replaces microtime() with a string built around env
> var TYPO3_HOST_ONLY.
>
>
> Cheers
> Georg
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 12376_v4.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101002/873c20c5/attachment.txt>