b13/trusted-url-params 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

b13/trusted-url-params

Composer 安装命令:

composer require b13/trusted-url-params

包简介

TYPO3 Extension to ensure that only safe queryParams from TYPO3s Routing are added to generated links

README 文档

README

This TYPO3 extension modifies the generation of links to TYPO3 pages to only include the current query parameters ($_GET) that have been resolved by TYPO3's Routing.

Background

TYPO3's typolink functionality is super-powerful but also drags a lot of history with it. Various issues have been addressed with TYPO3's Routing, which was introduced in TYPO3 v9.

However, one main issue still resolves: The usage of the option addQueryString of typolink. If used, the option adds any existing $_GET parameter to the generated URL and - in the worst case - generates a valid cHash for this link.

addQueryString allows to define an exclude list of GET parameters, however this issue can never be solved properly with an exclude list, but rather an allow-list. With TYPO3 v9, we already have an "allow list" of the current request - all GET parameters or arguments that have been found in the route path ("route arguments"). This is a much better way to generate the "addQueryString" logic than using the plain $_GET array.

Since TYPO3 v9, this issue has become more visible as the commonly used seo extension uses addQueryString to generate the canonical tag, or the language menu.

How we fixed it

This extension provides an XCLASS (as there is currently no alternative to hook into this place of link generation) and only takes safe query parameters from the current URL, and only for generated URLs that use the addQueryString flag.

When to use this extension

We recommend using this extension

  • if you have trouble with SEO campaigns and an invalid canonical tag
  • or if (valid) bots taking crazy links and fill your cache backends or eat up your server resources
  • and if you know you don't misuse "addQueryString" in any other places such as your own TypoScript or third-party extensions

Please read https://typo3.org/security/advisory/typo3-psa-2021-003 for more details.

TYPO3 v12

TYPO3 v12 finally enforces addQueryString to only allow "trusted" URL Parameters making this extension obsolete, however the extension continues to be compatible with TYPO3 v12 when extension use legacy functionality.

See https://review.typo3.org/c/Packages/TYPO3.CMS/+/75864 for the related core change.

Installation

Install this extension via composer req b13/trusted-url-params or download it from the TYPO3 Extension Repository and activate the extension in the Extension Manager of your TYPO3 installation.

Note: This extension is compatible with TYPO3 v9, v10 and v11.

Configuration

This extension provides safe URLs by default, and no further configuration is needed. However, custom TypoLink links can use the addQueryString.includeUntrusted = 1 property to also include URL parameters that are added as GET parameters (such as query strings from SolR).

Possible side effects

As we believe in the concept of an "allow list", we further want to extend this configuration to allow regular query parameters if configured in e.g. a site configuration to allow proper pagination links, which might be an issue.

Inspiration

  • TYPO3 Core v9 Routing (Thanks to Oliver Hader and Benni Mack)
  • Helmut Hummel (original idea on how to solve it "the core way")
  • Extension "urlguard" (Thanks to Krystian Szymukowicz from SourceBroker)
  • Extension "urlguard2" (Thanks to Georg Ringer from Studio Mitte)
  • Extension "seo-canonical-guard"

Credits

This extension was created by Benni Mack in 2021 for b13 GmbH, Stuttgart.

Find more TYPO3 extensions we have developed that help us deliver value in client projects. As part of the way we work, we focus on testing and best practices to ensure long-term performance, reliability, and results in all our code.

b13/trusted-url-params 适用场景与选型建议

b13/trusted-url-params 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 246.05k 次下载、GitHub Stars 达 8, 最近一次更新时间为 2021 年 08 月 25 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 b13/trusted-url-params 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 b13/trusted-url-params 我们能提供哪些服务?
定制开发 / 二次开发

基于 b13/trusted-url-params 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 246.05k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 8
  • 点击次数: 37
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 8
  • Watchers: 7
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-2.0-or-later
  • 更新时间: 2021-08-25