Config.php: cleanup of checking GET variables.

extension/qfq/qfq/Constants.php

@@ -384,6 +384,11 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack
 const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay
 const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
 const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
+const SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT = 50; // Default max length for get variables
+const SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH = 255; // Default max length for get variables
+
+const GET_EXTRA_LENGTH_TOKEN = '_';
+
 const SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE = 'GFX_EXTRA_BUTTON_INFO_INLINE';
 const SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW = 'GFX_EXTRA_BUTTON_INFO_BELOW';
 
@@ -415,7 +420,6 @@ const SYSTEM_DB_UPDATE_AUTO = 'auto';
 const DOCUMENTATION_QFQ = 'DOCUMENTATION_QFQ';
 const DOCUMENTATION_QFQ_URL = 'https://docs.typo3.org/typo3cms/drafts/github/T3DocumentationStarter/Public-Info-053/Manual.html';
 
-const GET_EXTRA_LENGTH_TOKEN = '_';
 
 // Not stored in config.qfq.ini, but used in STORE_SYSTEM
 // Information for: Log / Debug / Exception

extension/qfq/qfq/store/Config.php

@@ -72,13 +72,21 @@ class Config {
             foreach ($_GET as $key => $value) {
                 // Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length.
                 $arr = explode(GET_EXTRA_LENGTH_TOKEN, $key);
+
                 $cnt = count($arr);
                 if ($cnt > 1 && is_numeric($arr[$cnt - 1])) {
-                    if (strlen($value) > $arr[$cnt - 1]) {
+                    $maxLength = $arr[$cnt - 1];
+                    if ($maxLength > SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH) {
                         $attack = true;
+                        break;
                     }
-                } elseif (strlen($value) > $maxLength) {
+                } else {
+                    $maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH]; // might change again.
+                }
+
+                if (strlen($value) > $maxLength) {
                     $attack = true;
+                    break;
                 }
             }
         }
@@ -158,7 +166,7 @@ class Config {
         Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
         Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT);
         Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, '0');
-        Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, '50');
+        Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT);
         Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK);
         Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE, '<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>');
         Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW, '<span class="glyphicon glyphicon-info-sign text-info" aria-hidden="true"></span>');