URL parameter sanitization

[nvindice]

Hi, I'm not sure where to post this best, so I created an issue here at the core package. Affected version is at least 2021.10 on TYPO3.

Additionally, I'm not sure where this problem comes from - I guess it's caching related.

Google stores a dozen URLs to our shop with additional parameters like ?currency=EUR"'`--)&locale=de&site=default. To me, this looks like somebody tried out SQL injections which was somehow cached and then later discovered by Google.

How to get rid of these "dirty" links?

[aimeos]

Yes, that looks like SQL injection attempts

[nvindice]

Shouldn't the parameters be sanitized before they are used for URL generation and then cached? I don't care for unsuccessful hacking attempts, but I don't want them to be part of our Google search results.

[aimeos]

How did you add the language/currency selection and what's the URL of your site?

[nvindice]

We don't have a language/currency selection. URL: belago*de

[aimeos]

What are the URLs which contain that parameters?

[nvindice]

Currently hopefully none, we cleared the cache and reset Google's index. Yesterday Google (!) listed a couple of pages like this:
https://belago*de/c/Unsere_Beststeller~22?ai[currency]=EUR%22%27`--)&ai[locale]=de&ai[site]=default&currency=EUR%22%27`--)&locale=de&site=default

[jonaseberle]

I think it is related to them parameters being excluded from cHash validation:

In aimeos/aimeos-typo3:

https://github.com/aimeos/aimeos-typo3/blob/master/ext_localconf.php#L274-L278

I suggest to review that.