Skip to content

[BUGFIX] Prevent infinite loop when trustedProperties validation fails #1294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 15, 2025
Merged

[BUGFIX] Prevent infinite loop when trustedProperties validation fails #1294

merged 2 commits into from
Oct 15, 2025

Conversation

@lorenzulrich
Copy link
Contributor

@lorenzulrich lorenzulrich commented Sep 25, 2025

If the __trustedProperties hidden property of a form is manipulated or submit as empty, the HMAC validation fails, throwing an exception.

The normal exception handling then tries to forward the request to the formAction, which itself also validates the HMAC. This leads to an infinite loop which is only resolved after 100 iterations by throwing an InfiniteLoopException.

This process takes time, therefore Powermail is vulnerable to DoS attacks.

The change checks for a BadRequestException from the HMAC validation. In such a case, a redirect to the (then empty) formAction is performed and the error is logged.

Resolves: #1293

@mschwemer
Copy link
Collaborator

mschwemer commented Oct 10, 2025

Hi

Thanks for your contribution.

In your PR the use Statement for BadRequestException is missing. Unfortunately I cannot modify your PR. Would you mind to add it?

Review and testing is fine (after adding use).

@lorenzulrich
[BUGFIX] Prevent infinite loop when trustedProperties validation fails
1be3c18 
If the __trustedProperties hidden property of a form is manipulated
or submit as empty, the HMAC validation fails, throwing an exception.

The normal exception handling then tries to forward the request to
the formAction, which itself also validates the HMAC. This leads to an
infinite loop which is only resolved after 100 iterations by throwing
an InfiniteLoopException.

This process takes time, therefore Powermail is vulnerable to DoS
attacks.

The change checks for a BadRequestException from the HMAC validation.
In such a case, a redirect to the (then empty) formAction is
performed and the error is logged.

Resolves: in2code-de#1293
@lorenzulrich lorenzulrich force-pushed the fix/trusted-properties-validation branch from 3e7410e to 1be3c18 Compare October 13, 2025 19:18
@lorenzulrich
Copy link
Contributor Author

lorenzulrich commented Oct 13, 2025

@mschwemer Thanks, that is done!

@lorenzulrich
Copy link
Contributor Author

lorenzulrich commented Oct 13, 2025

Please squash when merging.

@mschwemer mschwemer merged commit 192d8a5 into in2code-de:master Oct 15, 2025
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Submitting a form with invalid trustedProperties leads to InfiniteLoopException

2 participants

@lorenzulrich @mschwemer