[TYPO3-core] RFC: Enable pageNotFoundOnCHashError by default?
Ingmar Schlecht
ingmar at typo3.org
Tue Mar 6 01:07:26 CET 2007
Hi guys,
Stucki and me just had a chat about this and decided to revert the
patch, so the default of pageNotFoundOnCHashError is "0" again.
We'll get back to it during 4.2 development.
cheers
Ingmar
Michael Stucki schrieb:
> Hi Ingmar,
>
>> I'm not sure if it was a good idea to introduce this patch.
>>
>> According to the last comments on http://bugs.typo3.org/view.php?id=4940
>> there are quite a number of extensions having problems with the new
>> default setting of pageNotFoundOnCHashError.
>
> True, though there was also a comment by Andreas Bulling who confirmed that
> an additional patch might fix some (most?) cases for this.
>
> I have posted this patch two weeks ago and will repost it next...
>
>> Apart from that, I could not see a security advantage at all in the new
>> setting: The only thing this is about is whether an error-page should be
>> shown or a non-cached page should be output to the user. No matter what
>> the setting in question is, the user couldn't spam the cache table or
>> anything, so no security gain here.
>
> Well, the key problem is that this bug has been in extension for ages but
> nobody noticed (causing no error message, but causing the page to be
> non-cached). So it's mainly a question if we accept that behavior or not,
> and of course this is just what we set by default, since everybody can
> still override it if he likes...
>
> I really think that we should keep the setting, but tell our users how they
> can deal with it. There will be some failures in the beginning, but the
> workaround is easy, and finally this will result in better extension
> quality (chashes used more effectively + non-caching avoided where
> possible).
>
>> If I get it right, the only advantage of the new setting would be to
>> warn administrators that the content of their pages is not cached, so
>> they should fix their extensions to improve performance. However, such a
>> message was already given to administrators by means of
>> $GLOBALS['TT']->setTSlogMessage('The cHash [...] did not match, so
>> caching is disabled [...]');
>
> Yeah, but as you can see, nobody ever noticed or cared about
More information about the TYPO3-team-core
mailing list