-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to v. 2.0.15 tt_news catmenu and pagebrowser not working any more #244
Comments
Same issue with ext:news: news URL of single view changes, but shows always the same news. |
Guys, please, ask in mailing lists. You have cHash issues in links. This is not something that realurl can fix for you anymore. It did until security team decided it is not wanted. So you have to set cHash correctly now... |
What happens with the 2.0.15 change if one calls an URL that requires a cHash prior to the Link being generated? Also during realurl encoding it is possible that parameters are removed from URL due to nomatch bypass and that would change the cHash from the original calculated URL although as long as the speaking URL and the desired URL are stored that shouldn't be a problem. I think one solution would be to only generate cHash if all parameters are valid speaking URL parameters. All other URLs would have the cHash appended GET parameter anyway. |
@AndreasA You are repeating approximately the same arguments that I told to the security team. Guess the answer. |
Since updating from 2.0.14 to 2.0.15 I get broken links for tt_news detail views, too. Even with the RealURL autoconfig the errors remain. No hints in the Apache error log, either. I also noticed that after truncating the RealURL tables the URLs work once, but fail to load on the second try (cache is disabled on the test site). |
@seirerman You should never have cache disabled, even on a test site. Disabling it on a test site and enable in production, makes your two environments very different. This way your test site does not represent your live site. And with 2.0.15 you will always get 404s if you have cache disabled. This may change in 2.1.0 because I am thinking about bringing this functionality back but as optional (it will require special enabling in the configuration). |
@dmitryd I also remember an instance (was with realurl 1.x) where I had an issue in that regard that I removed parameters via the realurl configuration as the were unnecessary but then I had some links that appended the cHash and some that didn't which then resulted in problems because the speaking URL was always the same. |
Well, i humbly disagree with you on the no_cache thing for developmental sites. But even with config.no_cache=0 I still get the same behaviour (404s on the second try). |
@AndreasA This is what realurl actually did before 2.0.15: if there is no entry in the url cache and there are decoded URL parameters, it created a cHash. This allowed In my opinion this should not be realurl issue but a page cache issue. Cache should be able to keep its size under control and make sure that it works efficiently even with many entries. For example, memcached does that: it has a limit to the memory and starts discarding less used entries when there are too many of them. Nothing like that exists in TYPO3 caching framework. It just adds and adds new data. However security team disagreed that it should be solved on the page cache side. I do not blame them and understand their position: it is easier to remove cHash recalculation that to rework caching framework to keep caches under control. So we got easy but worse solution to the page cache DoS issue. If I were on their side, I would probably vote for such solution as well. Given lack of full time TYPO3 core developers, solving this on the core side is very unlikely. |
It is up to you :) But you should always realize that you put your def site into completely different behavior than your live site. For example, if you forget a |
@dmitryd: True, but my point still stands: I get 404s regardless of the cache settings with RealURL 2.0.15 And you mean useCacheHash, right? |
Yes, you will get those if you are logged in to BE because that disables realurl cache.
Yes. That was a typo. |
@dmitryd: But I am not logged in! |
@seirerman Not logged in OR have cache disabled is the same. See how it works with and without cache. With cache When BE user is logged in or URL cache is disabled Prior to version 2.0.15 the decoder also checked if there are URL parameters but cHash is missing. If yes and yes, it would create a cHash. Since 2.0.15 cHash is not created. Than the decoder puts all parameters to |
Until 2.1.0 is out, everybody, who suffer from this issue, can use one of two solutions:
|
The pages are cached (config.no_cache=0) AND I'm not logged in (Different URL than BE, different browser, doesn't matter), is what I'm trying to say. ;-) Anyway, would going back to RealURL 1.13.6 be a valid option, too, regarding the DOS possibility and until 2.1.0 comes out? |
@dmitryd thanks for the suggested two solutions until v. 2.1.0 is out. But will v. 2.1.0 fix the initial problem i had with the catmenu and the page browser of tt_news? Or is that just a configurations issue which should be fixed in the realurlconfiguration.php itself regardless of the realurl version? Thank you for the quick support/response. |
@triograf The issue should not happen if you do not clear or disable URL cache. |
Relevant: calculateChashIfMissing |
Shouldn't that ifMissing actually solve the DoS attack too? Because there can only be one cHash value stored then. In regards to DoS: That is why I said we would have to add a check that only does cHash calculation if ALL parameters are coming from realurl and are of a limited ranch, like lookupTable, valueMap. In regards to DoS: That is why I said we would have to add a check that only does cHash calculation if ALL parameters are coming from realurl and are of a limited ranch, like lookupTable, valueMap. You are probably right though that the best solution would be better page cache handling in the core in regards to the DoS attack but I also don't think it is likely to happen in the near future. Another thing: So one should never clear the decode cache afterwards? |
Not really because
Unfortunately, yes.
Starting from 2.1.0, realurl will handle page renames by adding expiration time to such URLs. So URL cache clearing will be semi-automatic. I'd say that cache should be left alone. Realurl is good enough to manage it. |
@dmitryd but i did not touched nor disabled the url cache. Just updated to v. 2.0.15. After that the catmenu and the page browser did not work. The detail page work as expected. |
@triograf Check if you actually have entries in the URL log on the corresponding page. |
That's good because I already had that problem once (old URLs). In that regard: Will a change of a pagename (in any language) clear all URLs of that page, also that of different languages? A nice feature here would be (in regards to SEO) to add an option to automatically redirect from the old URL to the new URL (with a 301) |
It will mark URL as expired. If somebody visits such URL, he will be redirected to the current URL. And only the URL for the edited language is marked as expired. |
So if one wants to support content fallback or similar additional hooks will be required? Would be great if you add a possibility to add a hook at that position. The redirect will be 301 (Google etc. I think need 301 redirects to transfer the rating of the page to the new page) or can it be defined what type of redirect? |
Let's see how TYPO3 works without realurl: Can anybody know the URI to a location (e.g. news detail view) which requires a cHash before TYPO3 generated it? No. It is impossible because the cHash is built using (some) URI arguments and a secret (encryption key), which is only known to TYPO3. This means that a URI (which requires a cHash to work correctly) does not exist before TYPO3 created it! This is a base concept of TYPO3 (page caching), which we have to live with until we change it. realurl as an extension to TYPO3 has to build upon these concepts. As a logical consequence, "if one calls an URL that requires a cHash prior to the Link being generated" it'll fail like any other link that requires a cHash even without realurl. If realurl now removes the cHash from the URL, it is responsible to remember the original URL including the removed including the cHash argument. Since this is vital information it should NOT be stored in a volatile cache, but in a more persistent place to make clear that removing this information equals removing the URLs resulting in a 404. |
Actually it can be guessed easily. Sometimes I even type those urls manually during development :)
Incorrect :( This will work only if cHash is persistently stored somewhere for the URL.
All correct but I want to add/stress two points here:
|
@AndreasA You are welcome to study realurl code to get answers to all your questions. @helmum I do not want to argue. I spent enough time in this thread and on realurl in general to continue the same discussion again and again. I suggest to stop here. There are other things in life that deserve time... |
Oops, sorry for the typo :( |
As mentioned I checked and yes there is an expire and clear cache function but as mentioned in the code it only works for pages - and you won't get all possible parameters here or am I missing somewhere where the urlcache is expired / cleared because realurl parameters do not exist anymore? Also as mentioned 'cache/disable' will disable caching and therefore cHash won't be stored at all. And then there is the backend module that allows one to clear the Url-Cache but with the cHash change due to 2.0.15 one cannot do so anymore without "consequences". |
Yes, this is one of reasons why chash calc was there since the beginning. For the rest you can search the code more. |
1.) You said you had problems with people asking question why things didn't work correctly due them e.g. deleting cache tables with the current solution you are back to that "issue". 2.) I agree that with the previous method everything was fine in regards to caches. It only generates a hash if realurl is allowed to generate the cHash on its own during decode, nothing more. If one goes with the 256 bytes due to overhead that helhum mentioned you would need over 4 million entries to reach one gigabyte. 3.) I checked the code more and: The issue now is just that we are storing necessary data cHash into tables that are not supposed to be necessary (cache) |
I just saw that you renamed those tables which is great that way people will not just delete data that might be necessary. |
Please, don't post entries like this to the bug tracker because they only loose my time and do not add any value to the product. |
The following fix has been merged in TYPO3 6.2, 7.6 and in master: https://review.typo3.org/#/c/49925/. Setting |
Yes, I am aware of that. It will solve issues for those, who still use 2.0.14. |
Uhm, no. With |
Okay, good to know. I expected it to work. @helhum If you already tested it, do you have exception text under hand (no problem if not, just wondering what the exception is)? |
The problematic lines in realurl are these: typo3-realurl/Classes/Decoder/UrlDecoder.php Lines 156 to 159 in bb47c65
This exception will be thrown: https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/Page/CacheHashCalculator.php#L131 Reason is, that cHash calculation will then require the id argument to be passed to |
Which is not done because doDecoding does not add the 'id' to the $requestVariables. Also I think it doesn't really fix the bugfix of 2.0.15 in 2.0.14 because one could still create arbitrary arguments. Also in UrlEncoder for storeInUrlCache there i a comment that says: which might also create troubles? |
@helhum Thanks! So I should modify the code to add 'id' there if I use cHash calculator... |
As far as I understand: But I think you actually meant that already. |
Btw. I forgot to ask when using the current development or 2.0.15 and use bypass variables can that create problems in regards to cHash and v2.x |
Yes, that is also what the security bulletin advises:
|
@AndreasA What bugfix of 2.0.15? |
FYI: I am not receiving notifications in this thread anymore because it makes too much email noise. |
I unsubscribed as well now |
Meant the one regarding storing cHash instead of calculating it - the reason for 2.0.15 release (security issue). |
For tt_news fix for "read more link" without chash:
|
After updating realurl to v. 2.0.15. (TYPO3 v. 7.6.9) the category menu and the pagebrowser of the ext tt_news are not working anymore. The url changes but the content in the frontend remains the same without any change.
reaulurl for tt_news is configured like this:
The text was updated successfully, but these errors were encountered: