[TYPO3-core] RFC: Enable pageNotFoundOnCHashError by default?

Michael Stucki michael at typo3.org
Mon Mar 5 22:54:22 CET 2007


Hi Ingmar,

> I'm not sure if it was a good idea to introduce this patch.
> 
> According to the last comments on http://bugs.typo3.org/view.php?id=4940
> there are quite a number of extensions having problems with the new
> default setting of pageNotFoundOnCHashError.

True, though there was also a comment by Andreas Bulling who confirmed that
an additional patch might fix some (most?) cases for this.

I have posted this patch two weeks ago and will repost it next...

> Apart from that, I could not see a security advantage at all in the new
> setting: The only thing this is about is whether an error-page should be
> shown or a non-cached page should be output to the user. No matter what
> the setting in question is, the user couldn't spam the cache table or
> anything, so no security gain here.

Well, the key problem is that this bug has been in extension for ages but
nobody noticed (causing no error message, but causing the page to be
non-cached). So it's mainly a question if we accept that behavior or not,
and of course this is just what we set by default, since everybody can
still override it if he likes...

I really think that we should keep the setting, but tell our users how they
can deal with it. There will be some failures in the beginning, but the
workaround is easy, and finally this will result in better extension
quality (chashes used more effectively + non-caching avoided where
possible).

> If I get it right, the only advantage of the new setting would be to
> warn administrators that the content of their pages is not cached, so
> they should fix their extensions to improve performance. However, such a
> message was already given to administrators by means of
>    $GLOBALS['TT']->setTSlogMessage('The cHash [...] did not match, so
>    caching is disabled [...]');

Yeah, but as you can see, nobody ever noticed or cared about!

- michael

> Michael Stucki schrieb:
>> This is a SVN patch request.
>> 
>> I would like to change the default value of the
>> [FE][pageNotFoundOnCHashError] setting from FALSE to TRUE.
>> 
>> The feature outputs an error if the &cHash parameter has been added to
>> the query, but turned out to be wrong.
>> 
>> Current situation: The consequence of having it disabled is that the page
>> is simply not cached, hence it will be created again.
>> 
>> New situation: Wrong cHashes will trigger an error instead of the
>> requested website. I cannot imagine a situation where the value is wrong
>> except two cases:
>> 
>> - someone tries to play with the URL parameters (bad?!)
>> - the encryptionKey has been changed (well...)
>> 
>> I would like to change this in Trunk only. What do you think?
>> 
>> - michael

-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/


More information about the TYPO3-team-core mailing list