[SECURITY] Mitigate denial-of-service scenarios in page error handler

This fixes TYPO3-CORE-SA-2021-005 again, which accidentally had been removed during TYPO3 v11 development. An inaccessible error page amplified potential denial-of-service scenarios. Resolves: #97818 Releases: main, 11.5 Change-Id: Ia9c666731f70db5e0a60572cd008f1d0c541af37 Security-Bulletin: TYPO3-CORE-SA-2022-006 Security-References: CVE-2022-36104 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75709 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3-CMS · Sep 13, 2022 · 2630a80 · 2630a80
1 parent dd2e87c
commit 2630a80
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/Classes/Error/PageErrorHandler/PageContentErrorHandler.php b/Classes/Error/PageErrorHandler/PageContentErrorHandler.php
@@ -95,6 +95,13 @@ public function handlePageError(ServerRequestInterface $request, string $message
             $urlParams['pageuid'] = (int)($urlParams['pageuid'] ?? 0);
             $resolvedUrl = $this->resolveUrl($request, $urlParams);
 
+            // avoid denial-of-service amplification scenario
+            if ($resolvedUrl === (string)$request->getUri()) {
+                return new HtmlResponse(
+                    'The error page could not be resolved, as the error page itself is not accessible',
+                    $this->statusCode
+                );
+            }
             if ($this->useSubrequest) {
                 // Create a subrequest and do not take any special query parameters into account
                 $subRequest = $request->withQueryParams([])->withUri(new Uri($resolvedUrl))->withMethod('GET');