[#7814] - Update $explodedName with reversed array
- Closed
- 7 Sep 2015
- Medium
- Build: staging
- # 7814
- Diff
- ryandemmer:patch-1
- Success Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
With reference to issue #7813
array_reverse returns the reversed array, it does not change the original array.
Line 441 to 444 of libraries/joomla/filter/JInputFilter.php extracts possible extensions in the file name to check against a list of invalid extensions.
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/filter/input.php
On line 442, array_reverse is used to re-arrange the array created so as to move the file name to the end, removing it with array_pop on line 443, but array_reverse returns the re-ordered array, it does not change the original array - http://php.net/manual/en/function.array-reverse.php
Therefore line 442 should be:
$explodedName = array_reverse($explodedName);
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Category | ⇒ | Libraries |
roland-d
- | Rel_Number | 0 | ⇒ | 7813 |
| Relation Type | ⇒ | Pull Request for |
Test : Success.
The original code is clearly wrong and making file extension check doesn't work properly (instead of removing file name from array, it actually removes the file extension, so file extension is not being checked/validated with $options['forbidden_extensions']). This PR just correct it.
| Status | Pending | ⇒ | Ready to Commit |
Setting RTC. Thanks
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7814.
| Labels |
Added:
?
|
||
| Milestone |
Added: |
||
| Milestone |
Added: |
||
| Milestone |
Removed: |
||
Thank you @ryandemmer! It's important enough to be merged in the RC version, merging by code review.
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-09-07 06:44:23 |
| Closed_By | ⇒ | Kubik-Rubik |
| Labels |
Removed:
?
|
||
We have now a regression on installing Kunena 3rt party templates:
Missing file to extract:
How to reproduce:
- install kunena
- download crypsisb3 www.kunena.org/download
- go to backend - kunena - template manager - new template
- select template and click on upload file and install
Extra info
our code: https://github.com/Kunena/Kunena-Forum/blob/develop/components/com_kunena/admin/controllers/templates.php#L98
@810 Reason is likely that you want to upload a file with a forbidden extension (eg ".php") then. That check was supposed to work since 3.4.0, but was broken.
If you use JFile::upload, you have to set the $allow_unsafe argument to true or explicitely pass $safeFileOptions with the correct options.
Hmm
I have same issue with my extension. I think you will need to modify code in the line 103
file = $this->app->input->files->get('install_package');
To
file = $this->app->input->files->get('install_package', null, 'raw');
The reason is because this block of code https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/input/files.php#L81-L89
I just wanted to point out the needed changes. There are two changes needed:
Use raw filter as I mentioned above.
If we use JFile::upload, we will have to set the $allow_unsafe argument to true or explicitely pass $safeFileOptions with the correct options as @Bakual mentioned.
@joomdonation Correct! Thank you for pointing it out.
ok, thnx we had that before, only without the allow_unsafe. We changed that. Now its working again.
Tested successfull with this script.
This return:
Array ( [0] => download )If we change the script to:
It returns
Array ( [0] => xml ).Thanks.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7814.