[BUGFIX] Do not log failed HMAC validations in ext:frontend

With #93667 logging of HMAC validation errors caused by potentially manipulated form submissions has been disabled. The change does however not consider exceptions handled in the ProductionExceptionHandler for content objects in ext:frontend. This change prevents logging of two exceptions caused by potential manipulated form submissions in ProductionExceptionHandler for content objects. Resolves: #97830 Related: #90134 Releases: main, 11.5 Change-Id: Ibee8268584e2729766c5528bf8687fd6055a4030 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74946 Tested-by: core-ci <typo3@b13.com> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
TYPO3 · Jul 1, 2022 · 07447e0 · 07447e0
1 parent 4cdbefc
commit 07447e0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -44,10 +44,13 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
 
     private const IGNORED_EXCEPTION_CODES = [
         1396795884, // Current host header value does not match the configured trusted hosts pattern
+        1616175867, // Backend login request is rate limited
+        1616175847, // Frontend login request is rate limited
+    ];
+
+    public const IGNORED_HMAC_EXCEPTION_CODES = [
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
         1581862823, // Failed HMAC validation due to modified form state in ext:forms
-        1616175867, // Backend login request is rate limited
-        1616175847,  // Frontend login request is rate limited
     ];
 
     /**
@@ -78,7 +81,8 @@ public function handleException(\Throwable $exception)
     protected function writeLogEntries(\Throwable $exception, string $mode): void
     {
         // Do not write any logs for some messages to avoid filling up tables or files with illegal requests
-        if (in_array($exception->getCode(), self::IGNORED_EXCEPTION_CODES, true)) {
+        $ignoredCodes = array_merge(self::IGNORED_EXCEPTION_CODES, self::IGNORED_HMAC_EXCEPTION_CODES);
+        if (in_array($exception->getCode(), $ignoredCodes, true)) {
             return;
         }
 

diff --git a/typo3/sysext/frontend/Classes/ContentObject/Exception/ProductionExceptionHandler.php b/typo3/sysext/frontend/Classes/ContentObject/Exception/ProductionExceptionHandler.php
@@ -20,6 +20,7 @@
 use Psr\Log\LoggerInterface;
 use TYPO3\CMS\Core\Context\Context;
 use TYPO3\CMS\Core\Crypto\Random;
+use TYPO3\CMS\Core\Error\AbstractExceptionHandler;
 use TYPO3\CMS\Core\Http\ImmediateResponseException;
 use TYPO3\CMS\Frontend\ContentObject\AbstractContentObject;
 
@@ -78,8 +79,10 @@ public function handle(\Exception $exception, AbstractContentObject $contentObje
         // "%s" has to be replaced by {code} for b/w compatibility
         $errorMessage = str_replace('%s', '{code}', $errorMessage);
 
-        // Log exception
-        $this->logger->alert($errorMessage, ['exception' => $exception, 'code' => $code]);
+        // Log exception except HMAC validation exceptions caused by potentially forged requests
+        if (!in_array($exception->getCode(), AbstractExceptionHandler::IGNORED_HMAC_EXCEPTION_CODES, true)) {
+            $this->logger->alert($errorMessage, ['exception' => $exception, 'code' => $code]);
+        }
 
         // Return error message by replacing {code} with the actual code, generated above
         return str_replace('{code}', $code, $errorMessage);