Publisher does not support the Fluid field type. Please do not contact asking when support will be available.
If you purchased an add-on from expressionengine.com, be sure to visit boldminded.com/claim to add the license to your account here on boldminded.com.
Ticket: URL is being appended to a link when cache is overwritten
| Status | Resolved |
| Add-on / Version | Speedy 1.3.1 |
| Severity | |
| EE Version | 5.4.2 |
Mighty Citizen
Feb 06, 2023Brian,
On this site (gov.texas.gov), only on the home page, the Espanol (or English link if you’re viewing the Spanish version of the site) link in the header recently began including a param on the end of the link. It should be https://gov.texas.gov/es/ but is now pointing to https://gov.texas.gov/es/?url=http:/m.xn—ok1b20k97kvwb89dt4p.net/bbs/board.php%3Fbo_table=42&wr_id=160586. When the client clears the Speedy cache, the appended param goes away. But as soon as the template is cached, the extra param shows up again. The extra param also changes after each refresh.
This just began happening over the weekend. The client’s concerned about a potential vulnerability somewhere within EE and/or Speedy.
Please let me know if you have any thoughts or ideas for debugging, or gathering additional details to help with debugging. Unfortunately, we do not have access to the client’s production environment (EE login nor the production server) and this problem is not happening on our dev instances.
Our client added:
“If I delete the index.php Speedy cache file and load the home page, a new cache file is created with the correct unaltered link. Once the cache file is overwritten, the altered link returns. It may be the cache that’s being exploited.”
Thanks for any ideas you may have.
Wiley
BoldMinded (Brian)
So many questions…. what other add-ons do you have installed?
What is your cache driver? Redis, static files?
How is that link rendered on the page? E.g. what is the template code?
What else have you looked into to diagnose the problem? Have you done a git status on the production server to see if anything has been hacked?
Clearing the cache removes the link, but obviously the link is getting added back when a new cache file is created… when you load the uncached page, is the extra stuff added to the link then or at a later point?
The URL shared is inaccessible to me.
BoldMinded (Brian)
The most important question is “What else have you looked into to diagnose the problem?” Have you tried to replicate the issue yourself?
Mighty Citizen
Comment has been marked private.
Mighty Citizen
Comment has been marked private.
BoldMinded (Brian)
Glad you figured it out, and yes there is a way to remove the query string. There is a hidden config variable:
$config[‘publisher_remove_query_string’] = ‘y’;
Add that to your config file and it shouldn’t append query strings to the translated_url variables.
BoldMinded (Brian)
I’m going to close this out b/c I haven’t heard back. If that config variable didn’t do what you were expecting feel free to re-open this ticket.