[!!!][SECURITY] Mitigate potential cache flooding 21/49921/2
authorHelmut Hummel <info@helhum.io>
Tue, 13 Sep 2016 09:52:49 +0000 (11:52 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 13 Sep 2016 09:52:51 +0000 (11:52 +0200)
commit7b8258d064d0dde203f7fdb42f9700d6a3d701a7
tree59b58cc1c7ad0046dbd6878c3ab506244a506c09
parente292d9ead6965ba48ada0d16ef579bada773a138
[!!!][SECURITY] Mitigate potential cache flooding

Bind cHash to the page id it was generated for, to avoid
an attacker to be able to call multiple pages with the same
cHash arguments and thus create unnecessary cache entries.

We now add the id argument to the cHash calculation, but only
if there are other arguments in the URI which would require a cHash.
This avoids multiple cache entries for one page
(one with and one without cHash).

We ignore other core parameters like "type" and "MP", because the possibility
to create unnecessary cache entries by manipulating these is very limited
and thus an attack not feasible.

Adapted tests to show our new expectations for cHash calculations.

The new behavior is default for new installations, but not for on for existing
installations, as an update would break the site with a high probability.

By adding the configuration option, we'll give users the chance to
pull the trigger once everything is prepared, but still get other
security issues fixed with the release.

Resolves: #76462
Releases: master, 8.3, 7.6, 6.2
Security-Commit: d67099a5e5dd387fa3fb8a9847933fbeb377d99f
Security-Bulletins: TYPO3-CORE-SA-2016-020, 021
Change-Id: Ie9753536dad5cae60e607a286e1ebb08efc3c85a
Reviewed-on: https://review.typo3.org/49921
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/FactoryConfiguration.php
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Classes/Page/CacheHashCalculator.php
typo3/sysext/frontend/Tests/Unit/Page/CacheHashCalculatorTest.php
typo3/sysext/lang/locallang_core.xlf
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf