realurl saves in the table tx_realurl_urldata links without cHash. It makes possible the DB-flooding, if a hacker adds some get-parameter to the URL:
L=1&id=14&tx_gbaccount_transactions[@widget_0][currentPage]=3&foo=bar
L=1&id=14&tx_gbaccount_transactions[@widget_0][currentPage]=3&asd=123 etc
Is there a solution for this problem? Can I say realurl, don's save certain links?
Thank's
You may exclude certain parameters from being cached.
Reference to manual for 2.x: https://github.com/dmitryd/typo3-realurl/wiki/Notes-for-Developers#banning-certain-urls-from-realurl-cache
Note that there was an issue in TYPO3 core before September 2016 which has been fixed: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-022/
As far as I experienced there is no way to flood the realurl cache by adding random parameters. In case you find a way, please create a bug report in Dmitrys github project: https://github.com/dmitryd/typo3-realurl
The cache entries of realurl are only written when you create the links using the TYPO3 typolink feature. They are not created based on external requests. So the only way to flood this cache is to do it by a script yourself.
The cache entries can contain cHash or can be without it depending on the typolink parameters given to create the link. So you can explicitely disable cHash usage by telling typolink not to use it by setting useCacheHash=FALSE.
This is in fact done by most plugins and plugin API methods in case caching is disabled globaly or the links are beeing created in context of a USER_INT object, where caching is disabled only for this context. In that case caching is not expected so cHash is not necessary in general.
I think, the pagination widget is written not quite correctly. The pagination widget uses the widget LinkViewHelper, that has the method getWidgetUri
protected function getWidgetUri()
{
$uriBuilder = $this->controllerContext->getUriBuilder();
$argumentPrefix = $this->controllerContext->getRequest()->getArgumentPrefix();
$arguments = $this->hasArgument('arguments') ? $this->arguments['arguments'] : [];
if ($this->hasArgument('action')) {
$arguments['action'] = $this->arguments['action'];
}
if ($this->hasArgument('format') && $this->arguments['format'] !== '') {
$arguments['format'] = $this->arguments['format'];
}
return $uriBuilder->reset()
->setArguments([$argumentPrefix => $arguments])
->setSection($this->arguments['section'])
->setAddQueryString(true)
->setAddQueryStringMethod($this->arguments['addQueryStringMethod'])
->setArgumentsToBeExcludedFromQueryString([$argumentPrefix, 'cHash'])
->setFormat($this->arguments['format'])
->build();
}
setAddQueryString(true) says to add all get-parameter to each pagination URL And it's not possible to set addQueryString to false, or to say, that only certain parameters have to be added. In my case, these are startdate and enddate
I resolved this problem using xclass, and getWidgetUri looks like this:
protected function getWidgetUri()
{
$uriBuilder = $this->controllerContext->getUriBuilder();
$argumentPrefix = $this->controllerContext->getRequest()->getArgumentPrefix();
$arguments = $this->hasArgument('arguments') ? $this->arguments['arguments'] : [];
if ($this->hasArgument('action')) {
$arguments['action'] = $this->arguments['action'];
}
if ($this->hasArgument('format') && $this->arguments['format'] !== '') {
$arguments['format'] = $this->arguments['format'];
}
$startdate = GeneralUtility::_GET('startdate');
$enddate = GeneralUtility::_GET('enddate');
$allowedParams = array();
if ($startdate != NULL) {
$allowedParams['startdate'] = $startdate;
}
if ($enddate != NULL) {
$allowedParams['enddate'] = $enddate;
}
return $uriBuilder->reset()
->setArguments([$argumentPrefix => $arguments, $allowedParams])
->setSection($this->arguments['section'])
->setAddQueryString(false)
->setAddQueryStringMethod($this->arguments['addQueryStringMethod'])
->setArgumentsToBeExcludedFromQueryString([$argumentPrefix, 'cHash', 'type'])
->setFormat($this->arguments['format'])
->setUseCacheHash(false)
->build();
}