search

in2code-de / powermail

This is the official repository of the TYPO3 extension powermail! Powermail is a well-known, editor-friendly, powerful and easy mailform extension for TYPO3
https://in2code.de
86 stars 173 forks source link

Access by bots via GET request with action parameters results in error entries generated in logs #828

Closed sypets closed 1 year ago

sypets commented 1 year ago

Summary: spam / bot protection blocks hit after an ALERT log message is already generated (e.g. if bots access pages via GET parameter with URL which would normally call an action). Unfortunately, search engines / SEO bots do crawl these URLs (with &tx_powermail_pi1%5Baction%5D=create) - possibly because of insufficient spam protection previously (these might be very old URLs).

Basically, my question is: Is it safe to block URLs with GET request and tx_powermail_pi1%5Baction%5D=(confirmation|create) in the query parameter (see no 2).

Possible solution

  1. in powermail: handle these errors not as ALERT - I don't think this is easily possible, because the exception is handled in the Extbase framework, but might be possible to set argument $mail in createAction / confirmationAction etc. as optional
  2. by site owners: block GET requests with powermail query parameters which call an action: e.g. with [&|\?]tx_powermail_pi1%5Baction%5D=(confirmation|create) (because if the form is submitted, it should be a POST request)

I think no 2 might be realistic but I am a bit reluctant since this might break things ...

Reproduce

  1. Create a powermail form
  2. When you submit it, copy the resulting URL
  3. reload the URL in another browser tab
  4. Check the TYPO3 log files (written via logging framework) for a new entry containing "Required argument \"mail\" is not set for "

Details

I guess, this is not really a bug, but an annoyance. It is an annoyance because you spend time trying to find out the cause of error and fix it (which I regularly do) and it clutters up the log file (if you are not using sentry or some other method it is cumbersome to filter out the errors which are irrelevant or you can't do anything about).

I noticed a number of entries in the TYPO3 logs with the string "Required argument "mail" is not set for In2code\Powermail\Controller\FormController->create".

When analyzing it further, I found corresponding entries in the webserver logs

TYPO3 log:

Mon, 14 Nov 2022 04:14:17 +0100 [ALERT] request="27d7bf38464b3" component="TYPO3.CMS.Frontend.ContentObject.Exception.ProductionExceptionHandler": 
Oops, an error occurred! 
Code: 2022111403141610d0e3bd- RequiredArgumentMissingException: Required argument "mail" is not set for In2code\Powermail\Controller\FormController->create., in file /var/www/mysite/public/typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php:1044 - 
{"exception":"TYPO3\\CMS\\Extbase\\Mvc\\Controller\\Exception\\RequiredArgumentMissingException: Required argument \"mail\" is not set for In2code\\Powermail\\Controller\\FormController->create. ...

URL: https://mysite.de/something/registration?cHash=21b5b5e3cb699c2ee6987ad4e6d05b1a&tx_powermail_pi1%5Baction%5D=create&tx_powermail_pi1%5Bcontroller%5D=Form

Example webserver log with bots / search engine access (semrush, ahrefs etc.):

Webserver logs:

ssl_access.log:***IP*** - - [14/Nov/2022:04:14:16 +0100] "GET /****?cHash=21b5b5e3cb699c2ee6987ad4e6d05b1a&tx_powermail_pi1%5Baction%5D=create&tx_powermail_pi1%5Bcontroller%5D=Form HTTP/1.1" 200 12597 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)" uol.de [lid -] 1s 1715856us
ssl_access.log:***IP*** - - [14/Nov/2022:04:24:46 +0100] "GET /*****?cHash=0a4c8c1c8591a830eb26310a581b0ab9&tx_powermail_pi1%5Baction%5D=confirmation&tx_powermail_pi1%5Bcontroller%5D=Form HTTP/1.1" 200 12245 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)" uol.de [lid -] 1s 1432799us
einpraegsam commented 1 year ago

This is not a bug in the extension as you already noticed. Calling a form without the mail parameter will lead to an extbase exception. And yes a mail parameter is needed. You could write a PSR-15 middleware to throw a 404 if the parameter ?tx_powermail_pi1[action] is given (via GET) but no ?tx_powermail_pi1[mail] (via POST). We did something similar for undefined TypeNum requests - see https://www.in2code.de/aktuelles/php-typo3-log-eintraege-the-page-is-not-configured-type-vermeiden/

Abdull commented 1 year ago

This is not a bug in the extension as you already noticed. Calling a form without the mail parameter will lead to an extbase exception. And yes a mail parameter is needed. You could write a PSR-15 middleware to throw a 404 if the parameter ?tx_powermail_pi1[action] is given (via GET) but no ?tx_powermail_pi1[mail] (via POST). We did something similar for undefined TypeNum requests - see https://www.in2code.de/aktuelles/php-typo3-log-eintraege-the-page-is-not-configured-type-vermeiden/

Our TYPO3 installation's syslog is also littered with these Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1298012500: Required argument "mail" is not set for In2code\Powermail\Controller\FormController->confirmation alerts (TYPO3 Exception 1298012500) due to web crawlers.

In fact, powermail's FormController->confirmation is the only source of this TYPO3 Exception 1298012500 for us. It would be great if the powermail extension included such a middleware you described.