SYSTEM_SECURITY_GET_MAX_LENGTH: take care that minimum is 32.

extension/Classes/Core/Database/DatabaseUpdate.php

@@ -214,7 +214,6 @@ class DatabaseUpdate {
 
         if ($new == $old || $old === false) {
             return;
-
         }
 
         if (version_compare($old, '20.2.0') == -1) {

extension/Classes/Core/Store/Config.php

@@ -107,6 +107,14 @@ class Config {
             T3Handler::updateT3QfqConfig(SYSTEM_BASE_URL, $config[SYSTEM_BASE_URL]); // Legacy behaviour.
         }
 
+        // Check minimum security length
+        if (($config[SYSTEM_SECURITY_GET_MAX_LENGTH] ?? '') < 32) {
+            // On some places we use MD5 hashes with 32chars. Therefore this should be the minimum.
+            $config[SYSTEM_SECURITY_GET_MAX_LENGTH] = 32;
+
+            T3Handler::updateT3QfqConfig(SYSTEM_SECURITY_GET_MAX_LENGTH, $config[SYSTEM_SECURITY_GET_MAX_LENGTH]);
+        }
+
         // Author: Enis Nuredini
         // Set default for encryption method if empty in typo3 configuration
         if (($config[SYSTEM_ENCRYPTION_METHOD] ?? '') === '') {

extension/ext_conf_template.txt

@@ -146,7 +146,7 @@ securityAttackDelay = 5
 # cat=security/security; type=boolean; label=Show an attack detected message:Default is 'off'. Show (return to browser) a message, that an attack has been detected. Should be 'off' for production sites.
 securityShowMessage = 0
 
-# cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`.
+# cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`. Minimum: 32.
 securityGetMaxLength = 50
 
 # cat=security/security; type=string; label=REST - Failed auth delay in seconds:Default is '3'.