[TYPO3-core] RFC: Enable pageNotFoundOnCHashError by default?
Ingmar Schlecht
ingmar at typo3.org
Wed Feb 28 00:11:44 CET 2007
Hi guys,
I'm not sure if it was a good idea to introduce this patch.
According to the last comments on http://bugs.typo3.org/view.php?id=4940
there are quite a number of extensions having problems with the new
default setting of pageNotFoundOnCHashError.
Apart from that, I could not see a security advantage at all in the new
setting: The only thing this is about is whether an error-page should be
shown or a non-cached page should be output to the user. No matter what
the setting in question is, the user couldn't spam the cache table or
anything, so no security gain here.
If I get it right, the only advantage of the new setting would be to
warn administrators that the content of their pages is not cached, so
they should fix their extensions to improve performance. However, such a
message was already given to administrators by means of
$GLOBALS['TT']->setTSlogMessage('The cHash [...] did not match, so
caching is disabled [...]');
cheers
Ingmar
Michael Stucki schrieb:
> This is a SVN patch request.
>
> I would like to change the default value of the [FE][pageNotFoundOnCHashError]
> setting from FALSE to TRUE.
>
> The feature outputs an error if the &cHash parameter has been added to the
> query, but turned out to be wrong.
>
> Current situation: The consequence of having it disabled is that the page is
> simply not cached, hence it will be created again.
>
> New situation: Wrong cHashes will trigger an error instead of the requested
> website. I cannot imagine a situation where the value is wrong except two
> cases:
>
> - someone tries to play with the URL parameters (bad?!)
> - the encryptionKey has been changed (well...)
>
> I would like to change this in Trunk only. What do you think?
>
> - michael
More information about the TYPO3-team-core
mailing list