[!!!][SECURITY] Mitigate potential cache flooding 25/49925/2
authorHelmut Hummel <info@helhum.io>
Tue, 13 Sep 2016 09:53:12 +0000 (11:53 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 13 Sep 2016 09:53:18 +0000 (11:53 +0200)
commit4a4bf359d7a6b2f6fc4deef2e1b69a84346dc57b
treedd6abda49d32e3372bd4d30248bca29fbe43e25b
parent2918d14e505c9f0043db7ee9c19311bd06a0ab08
[!!!][SECURITY] Mitigate potential cache flooding

Bind cHash to the page id it was generated for, to avoid
an attacker to be able to call multiple pages with the same
cHash arguments and thus create unnecessary cache entries.

We now add the id argument to the cHash calculation, but only
if there are other arguments in the URI which would require a cHash.
This avoids multiple cache entries for one page
(one with and one without cHash).

We ignore other core parameters like "type" and "MP", because the possibility
to create unnecessary cache entries by manipulating these is very limited
and thus an attack not feasible.

Adapted tests to show our new expectations for cHash calculations.

The new behavior is default for new installations, but not for on for existing
installations, as an update would break the site with a high probability.

By adding the configuration option, we'll give users the chance to
pull the trigger once everything is prepared, but still get other
security issues fixed with the release.

Resolves: #76462
Releases: master, 8.3, 7.6, 6.2
Security-Commit: d97bb1cc1aea4a616db0665b60366a1a23f5ee50
Security-Bulletins: TYPO3-CORE-SA-2016-020, 021
Change-Id: Id8801b7b7d86b65ecaa2ca5e9bb14c27d4268aee
Reviewed-on: https://review.typo3.org/49925
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/FactoryConfiguration.php
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Classes/Page/CacheHashCalculator.php
typo3/sysext/frontend/Tests/Unit/Page/CacheHashCalculatorTest.php
typo3/sysext/lang/locallang_core.xlf
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf