Closed sypets closed 1 year ago
This is not a bug in the extension as you already noticed. Calling a form without the mail parameter will lead to an extbase exception. And yes a mail parameter is needed. You could write a PSR-15 middleware to throw a 404 if the parameter ?tx_powermail_pi1[action] is given (via GET) but no ?tx_powermail_pi1[mail] (via POST). We did something similar for undefined TypeNum requests - see https://www.in2code.de/aktuelles/php-typo3-log-eintraege-the-page-is-not-configured-type-vermeiden/
This is not a bug in the extension as you already noticed. Calling a form without the mail parameter will lead to an extbase exception. And yes a mail parameter is needed. You could write a PSR-15 middleware to throw a 404 if the parameter ?tx_powermail_pi1[action] is given (via GET) but no ?tx_powermail_pi1[mail] (via POST). We did something similar for undefined TypeNum requests - see https://www.in2code.de/aktuelles/php-typo3-log-eintraege-the-page-is-not-configured-type-vermeiden/
Our TYPO3 installation's syslog is also littered with these Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1298012500: Required argument "mail" is not set for In2code\Powermail\Controller\FormController->confirmation
alerts (TYPO3 Exception 1298012500) due to web crawlers.
In fact, powermail's FormController->confirmation
is the only source of this TYPO3 Exception 1298012500 for us. It would be great if the powermail extension included such a middleware you described.
Summary: spam / bot protection blocks hit after an ALERT log message is already generated (e.g. if bots access pages via GET parameter with URL which would normally call an action). Unfortunately, search engines / SEO bots do crawl these URLs (with
&tx_powermail_pi1%5Baction%5D=create
) - possibly because of insufficient spam protection previously (these might be very old URLs).Basically, my question is: Is it safe to block URLs with GET request and
tx_powermail_pi1%5Baction%5D=(confirmation|create)
in the query parameter (see no 2).Possible solution
$mail
increateAction
/confirmationAction
etc. as optional[&|\?]tx_powermail_pi1%5Baction%5D=(confirmation|create)
(because if the form is submitted, it should be a POST request)I think no 2 might be realistic but I am a bit reluctant since this might break things ...
Reproduce
"Required argument \"mail\" is not set for "
Details
I guess, this is not really a bug, but an annoyance. It is an annoyance because you spend time trying to find out the cause of error and fix it (which I regularly do) and it clutters up the log file (if you are not using sentry or some other method it is cumbersome to filter out the errors which are irrelevant or you can't do anything about).
I noticed a number of entries in the TYPO3 logs with the string "Required argument "mail" is not set for In2code\Powermail\Controller\FormController->create".
When analyzing it further, I found corresponding entries in the webserver logs
TYPO3 log:
URL:
https://mysite.de/something/registration?cHash=21b5b5e3cb699c2ee6987ad4e6d05b1a&tx_powermail_pi1%5Baction%5D=create&tx_powermail_pi1%5Bcontroller%5D=Form
Example webserver log with bots / search engine access (semrush, ahrefs etc.):
Webserver logs: