[TYPO3-mvc] Realurl and hmac
Christian Kuhn
lolli at schwarzbu.ch
Thu Jun 16 19:16:55 CEST 2011
Hey,
On 06/08/2011 09:38 AM, Sebastian Fischer wrote:
>> #1255082824: Request hash (HMAC) checking failed. The parameter __hmac
>> was invalid or not set, and objects were modified.
>>
> Found the problem.
>
> If the configuration for realurl contains something like
>
> array(
> 'GETvar' => 'mailhash',
> 'noMatch' => 'bypass',
> ),
> ),
>
> the mailhash parameter is filled on decoding even if its empty. And by
> that a parameter not present in hmac is inserted. Which is evil ;)
Yeah. We've been running into this as well. It always pops up if you
have 'bypass' parameters. I can not recall the exact issue, but realUrl
somehow adds them, or does not add them as empty parameters to GET
again, which then invalidates the hmac and extbase complains.
We've done some nasty hack to realUrl which fixed this for us, but it's
tricky, hard to debug (as always in realurl), and I'm unsure if Dmitry
would accept it ...
If someone is interested, I could dig up the patch again.
Regards
Christian
More information about the TYPO3-project-typo3v4mvc
mailing list