From 1be3c1888994efc26cf4bc48fcb922ba07bd7d41 Mon Sep 17 00:00:00 2001
From: Lorenz Ulrich <lorenz.ulrich@visol.ch>
Date: Thu, 25 Sep 2025 21:59:37 +0200
Subject: [PATCH 1/2] [BUGFIX] Prevent infinite loop when trustedProperties
 validation fails

If the __trustedProperties hidden property of a form is manipulated
or submit as empty, the HMAC validation fails, throwing an exception.

The normal exception handling then tries to forward the request to
the formAction, which itself also validates the HMAC. This leads to an
infinite loop which is only resolved after 100 iterations by throwing
an InfiniteLoopException.

This process takes time, therefore Powermail is vulnerable to DoS
attacks.

The change checks for a BadRequestException from the HMAC validation.
In such a case, a redirect to the (then empty) formAction is
performed and the error is logged.

Resolves: #1293
---
 Classes/Controller/FormController.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Classes/Controller/FormController.php b/Classes/Controller/FormController.php
index 8329f2ae1..8b4026ed2 100644
--- a/Classes/Controller/FormController.php
+++ b/Classes/Controller/FormController.php
@@ -609,6 +609,17 @@ public function processRequest(RequestInterface $request): ResponseInterface
             return parent::processRequest($request);
         } catch (PropagateResponseException $e) {
             return $e->getResponse();
+        } catch (BadRequestException $e) {
+            if (in_array($e->getCode(), [1581862822, 1699604555, 1691267306])) {
+                // If the trustedProperties HMAC can not be validated, we redirect to an empty form because the
+                // request cannot be salvaged and would lead to an infinite loop.
+                $logger = ObjectUtility::getLogger(__CLASS__);
+                $logger->warning('Redirecting to empty form because HMAC validation failed.', [$e->getMessage()]);
+                return $this->redirect('form');
+            }
+            $logger = ObjectUtility::getLogger(__CLASS__);
+            $logger->critical('An error occurred: ', [$e->getMessage()]);
+            return (new ForwardResponse('form'))->withoutArguments();
         } catch (\Exception $e) {
             $logger = ObjectUtility::getLogger(__CLASS__);
             $logger->critical('An error occurred: ', [$e->getMessage()]);

From e44ea7779d581fd5421d6661b34d3d8ed07b8516 Mon Sep 17 00:00:00 2001
From: lorenzulrich <lorenz.ulrich@visol.ch>
Date: Mon, 13 Oct 2025 21:22:55 +0200
Subject: [PATCH 2/2] fix: Add BadRequestException import to FormController

---
 Classes/Controller/FormController.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Classes/Controller/FormController.php b/Classes/Controller/FormController.php
index 8b4026ed2..958cd33ef 100644
--- a/Classes/Controller/FormController.php
+++ b/Classes/Controller/FormController.php
@@ -38,6 +38,7 @@
 use In2code\Powermail\Utility\ObjectUtility;
 use In2code\Powermail\Utility\SessionUtility;
 use In2code\Powermail\Utility\TemplateUtility;
+use TYPO3\CMS\Core\Error\Http\BadRequestException;
 use function in_array;
 use Psr\EventDispatcher\EventDispatcherInterface;
 use Psr\Http\Message\ResponseInterface;