[TYPO3-mvc] Strange caching behaviour
Helmut Hummel
helmut.hummel at typo3.org
Mon Apr 21 23:57:14 CEST 2014
Hi Frans,
On 20.04.14 16:28, Frans Saris wrote:
> Giving a 404 when the cHash is incorrect is not a suitable solution.
Why is it incorrect? You tried to access a resource which does not exist
under this URL.
> When the cHash is incorrect the parameters should be ignored.
There are cases where this would be more desirable.
You can currently configure to "ignore" a missing or wrong cHash by
disabling the cache.
This however is a "killer setting" on high traffic sites and it will be
mich easier to perform a DoS attack by submitting URLs with arbitrary
cHash values.
So we don't want to disable the cache, but also no 404, how can we
ignore the paramteres?
TYPO3 would need to *unset* all get parameters that are used to
calculate the cHash. While this would be quite easy to implement, I fear
that it would be *very hard* to track down errors. I can easily imagine
pondering the code for hours and wondering why certain get paramters,
while being in the URL are not passed to your plugin. :-D
Kind regards,
Helmut
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-typo3v4mvc
mailing list