[TYPO3-core] Review system woes
Helmut Hummel
helmut.hummel at typo3.org
Fri Feb 8 11:44:23 CET 2013
Hi Dmitry,
Ernesto exactly hit the point, not much to add.
Still want to stress, that I do not want to block anything, but want to
understand why the patch is needed in that form. That is what reviewing
is all about, isn't it? In fact the patch looks reasonable in general
and it might be a real problem with TYPO3 versions below 4.7.
In 4.7 however the cHash calculation has been improved and works
differntly and I fail to see, that it is needed for TYPO3 4.7 and above.
I may be wrong, that is why I tried to ask you for clearification.
I try again.
Am 08.02.13 09:38, schrieb Dmitry Dulepov:
> This thing was seriously slowing down the site of one huge customer,
> which uses two TYPO3 instances.
What TYPO3 version is your using?
> After patching it wroks well and I was
> not asked to look at this site for more than half a year (earlier it was
> a regular problem for us). How can I prove to you that it is useful? I
> can't.
I'm only asking for a way to generate a link with a valid cHash that
triggers the problem which is solved by your patch.
Can you do that please?
The following TypoScript does not trigger the problem in 6.0, or to be
precise, your patch does not solve the problem, that with such
TypoScript in place, an arbitrary amount of cache entries can be created
by forging URLs.
10 = TEXT
10.value = Link
10.typolink {
parameter = 1
addQueryString = 1
useCacheHash = 1
}
Kind regards,
Helmut
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list