Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#26087] - 3.9.11 JRoute::() backward compatiblity (https not working)

J3 Issue ?
avatar stAn47
stAn47
30 Aug 2019

Steps to reproduce the issue

Hello, it seems that joomla 3.9.11
$url = JRoute::_($url, false, true);

returnes non-https URL address while previous joomla's always returned https URL for this call.

is it possible that JRoute implements this backward compatiblity ? i see new JRoute uses constants for 3rd parameter, but since this is a quite security related function i would suggest to add backward compatibility to this case.

i guess it is common that the third parameter can be:

  • true
  • 1
  • '1'

to enable the https URL.

best regards, stan

avatar stAn47 stAn47 - open - 30 Aug 2019
avatar joomla-cms-bot joomla-cms-bot - labeled - 30 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 30 Aug 2019
Labels Added: J3 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 30 Aug 2019
avatar zero-24
zero-24 - comment - 30 Aug 2019

hmm the required b/c code has been introduced in 3.9.11 (by #25225 in response to: #25204):
https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Router/Route.php#L72-L93

based on that the signature you proposed here it should still work than expected as

echo (int) true; -> 1
echo (int) 1; -> 1
echo (int) '1'; -> 1

please double check the signature you use and the joomla version let us know which it is so we replicate the issue.

avatar franz-wohlkoenig franz-wohlkoenig - change - 30 Aug 2019
Status New Information Required
avatar stAn47
stAn47 - comment - 30 Aug 2019

hello, i tested on 2 different servers now :


echo JRoute::_('index.php', false, true)."\n";  //returns http:
echo JRoute::_('index.php', false, false)."\n"; //returns relative
echo JRoute::_('index.php', false, 1)."\n"; //return https:
echo JRoute::_('index.php', false, '1')."\n"; //returns https:
echo JRoute::_('index.php', false, JROUTE::TLS_DISABLE)."\n"; debug_zval_dump(JROUTE::TLS_DISABLE); //returns http: 
echo JRoute::_('index.php', false, JROUTE::TLS_FORCE)."\n"; debug_zval_dump(JROUTE::TLS_FORCE);  //returns https:
echo JRoute::_('index.php', false, JROUTE::TLS_IGNORE)."\n"; debug_zval_dump(JROUTE::TLS_IGNORE);  //returns relative

stan

and for the true boolean I always get non-https reply

this is on PHP7.3 , 7.2, 7.1, 7.0 and 5.6

stan

avatar stAn47
stAn47 - comment - 30 Aug 2019

i just debugged this and used:

if ($tls == -1)
			{
				if ($tls === true) {
					die('x'); 
				}
				
				$tls = self::TLS_DISABLE;
			}

if $tls === true it also evaluates to $tls == -1

i did not know about this, but this is what's causing the problem

stan

avatar stAn47
stAn47 - comment - 30 Aug 2019

so it gets disabled before it reaches conversion to int

avatar zero-24 zero-24 - change - 30 Aug 2019
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2019-08-30 12:07:33
Closed_By zero-24
avatar zero-24
zero-24 - comment - 30 Aug 2019

Strange but Confirmed here is a patch: #26089

avatar zero-24 zero-24 - close - 30 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - reopen - 30 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 30 Aug 2019
Status Closed Discussion
Closed_Date 2019-08-30 12:07:33
Closed_By zero-24
avatar zero-24
zero-24 - comment - 30 Aug 2019

reopened @franz-wohlkoenig ?

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 30 Aug 2019

ups, sorry.

avatar franz-wohlkoenig franz-wohlkoenig - close - 30 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 30 Aug 2019
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2019-08-30 12:12:48
Closed_By franz-wohlkoenig

Add a Comment

Login with GitHub to post a comment