[TYPO3-core] RFC: #10201: Duplicate cHash Values
Oliver Hader
oliver at typo3.org
Wed Aug 26 13:32:02 CEST 2009
Hi Francois,
Francois Suter schrieb:
> So Dmitry says that the new version of RealURL is ready for testing and
> could be released within a reasonable time frame if no major bugs are
> found.
>
> I would like to know if it seems ok to (most of) you if we just indicate
> somewhere (like in core, dev, english and perhaps other mailing lists;
> and maybe also in the core blog or something) that the SVN version of
> RealURL is necessary in order to work with the dev versions of 4.3,
> knowing that an official release will take place in time for 4.3-final.
>
> How does that sound? I would quite like to have opinions from other core
> team members and Olly in particular (as the RM for 4.3).
In general that sounds good to me. However, I'd like to request a
feedback from the crawler guys first since it seems that there could be
problems as well with a long cHash.
Another problem are indexed links in Google for example - maybe we
should think about a fallback option to support old cHashes as well. It
could be handy when upgrading a website from 4.2 to 4.3 for example.
Scenario:
"old URL": Events.101.0.html?&cHash=3847153e37&tx_ext_pi1[uid]=1
"new URL":
Events.101.0.html?&cHash=3847153e37098f6bcd4621d373cade4e&tx_ext_pi1[uid]=1
And another thing that comes into my mind is the possiblity to
recalculate the encryption key out of the cHash. I'm not an expert in
mathematical hashing methods...
Scenario:
1) recalulate a possible encryption key out of a full MD5 cHash (GET
arguments are given)
2) use the possible encryption key(s) to generate the juHash for a
jumpurl attack
Maybe someone from the security team could give an advise on that.
Thanks in advance!
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list