Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Add cache for error page handling
To prevent DoS attacks by using page-based error handling, the content of the error page is now cached, this prevents fetching the content of the error pages again and again. Resolves: #88824 Releases: master, 11.1, 10.4, 9.5 Change-Id: I6dea5200dc710a182b66deedfbeb2110ea829117 Security-Bulletin: TYPO3-CORE-SA-2021-005 Security-References: CVE-2021-21359 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68430 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
2 changed files
with
80 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
...Documentation/Changelog/master/Important-88824-AddCacheForErrorPageHandling.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
.. include:: ../../Includes.txt | ||
|
||
===================================================== | ||
Important: #88824 - Add cache for error page handling | ||
===================================================== | ||
|
||
See :issue:`88824` | ||
|
||
Description | ||
=========== | ||
|
||
In order to prevent possible DoS attacks when the page-based error handler | ||
is used, the content of the 404 error page is now cached in the TYPO3 | ||
page cache. Any dynamic content on the error page (e.g. content created | ||
by TypoScript or uncached plugins) will therefore also be cached. | ||
|
||
If the 404 error page contains dynamic content, TYPO3 administrators must | ||
ensure that no sensitive data (e.g. username of logged in frontend user) | ||
will be shown on the error page. | ||
|
||
If dynamic content is required on the 404 error page, it is recommended | ||
to implement a custom PHP based error handler. | ||
|
||
.. index:: Backend, ext:backend |