[TYPO3-core] Review system woes

Helmut Hummel helmut.hummel at typo3.org
Fri Feb 8 11:44:23 CET 2013


Hi Dmitry,

Ernesto exactly hit the point, not much to add.

Still want to stress, that I do not want to block anything, but want to 
understand why the patch is needed in that form. That is what reviewing 
is all about, isn't it? In fact the patch looks reasonable in general 
and it might be a real problem with TYPO3 versions below 4.7.

In 4.7 however the cHash calculation has been improved and works 
differntly and I fail to see, that it is needed for TYPO3 4.7 and above.

I may be wrong, that is why I tried to ask you for clearification.
I try again.

Am 08.02.13 09:38, schrieb Dmitry Dulepov:

> This thing was seriously slowing down the site of one huge customer,
> which uses two TYPO3 instances.

What TYPO3 version is your using?

> After patching it wroks well and I was
> not asked to look at this site for more than half a year (earlier it was
> a regular problem for us). How can I prove to you that it is useful? I
> can't.

I'm only asking for a way to generate a link with a valid cHash that 
triggers the problem which is solved by your patch.

Can you do that please?

The following TypoScript does not trigger the problem in 6.0, or to be 
precise, your patch does not solve the problem, that with such 
TypoScript in place, an arbitrary amount of cache entries can be created 
by forging URLs.

10 = TEXT
10.value = Link
10.typolink {
   parameter = 1
   addQueryString = 1
   useCacheHash = 1
}

Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-team-core mailing list