Commit 10913600 authored by Torben Hansen's avatar Torben Hansen Committed by Benni Mack
Browse files

[BUGFIX] Do not log failed HMAC validation from forms

When a HMAC of a submitted form is invalid, TYPO3 throws
a BadRequestException which is logged to sys_log and logfiles.
Those invalid HMAC validation errors occur when the values
of the hidden fields tx_extension[__trustedProperties]
(extbase) or tx_form_formframework[form-id][__state] (ext:form)
are manipulated.

Since a TYPO3 site owner has no reasonable possibility to
prevent tampered form submissions and in order to keep logs
clean from errors due to illegal requests, the exceptions
are now not logged any more.

Resolves: #93667
Related: #90134
Releases: master, 10.4, 9.5
Change-Id: Icc9b209b29c9624c03e6b4e6689b8242a02ef349
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68857

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
parent 9b651087
......@@ -33,6 +33,12 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
const CONTEXT_WEB = 'WEB';
const CONTEXT_CLI = 'CLI';
private const IGNORED_EXCEPTION_CODES = [
1396795884, // Current host header value does not match the configured trusted hosts pattern
1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
1581862823 // Failed HMAC validation due to modified form state in ext:forms
];
/**
* Displays the given exception
*
......@@ -59,8 +65,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
*/
protected function writeLogEntries(\Throwable $exception, $context)
{
// Do not write any logs for this message to avoid filling up tables or files with illegal requests
if ($exception->getCode() === 1396795884) {
// Do not write any logs for some messages to avoid filling up tables or files with illegal requests
if (in_array($exception->getCode(), self::IGNORED_EXCEPTION_CODES, true)) {
return;
}
$filePathAndName = $exception->getFile();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment