Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#26753] - Error loading module Unknown column 'Array' in 'where clause'

?
avatar roussis
roussis
21 Oct 2019

Steps to reproduce the issue

On any Joomla site just make a get Request via web browser:
https://www.joomla.org/index.php/component/users?Itemid[]

screen shot 2019-10-21 at 14 33 34:

Expected result

Actual result

Warning
Error loading module Unknown column 'Array' in 'where clause'

System information (as much as possible)

Additional comments

avatar roussis roussis - open - 21 Oct 2019
avatar joomla-cms-bot joomla-cms-bot - labeled - 21 Oct 2019
avatar roussis roussis - change - 21 Oct 2019
The description was changed
avatar roussis roussis - edited - 21 Oct 2019
avatar roussis roussis - change - 21 Oct 2019
The description was changed
avatar roussis roussis - edited - 21 Oct 2019
avatar roussis roussis - change - 21 Oct 2019
The description was changed
avatar roussis roussis - edited - 21 Oct 2019
avatar SharkyKZ
SharkyKZ - comment - 22 Oct 2019

If it is decided to fix query manipulations like this, there will be A LOT of fixing to do.

avatar joomdonation
joomdonation - comment - 22 Oct 2019

We would not have to fix anything if the getInt method of our Input class just returns an integer value as described in the docblock https://github.com/joomla/joomla-cms/blob/staging/libraries/vendor/joomla/input/src/Input.php#L28

Unfortunately, it also returns array of integer in case data from request is an array and it causes this kind of error.

avatar SharkyKZ
SharkyKZ - comment - 22 Oct 2019

Changing default input filter behavior, I think, is out of the question at this point.

avatar roussis
roussis - comment - 22 Oct 2019

there is a discussion about if this error lead to sql injection. As a security engineer i know that it can't happens because in source code it used prepared statements. But because the error include an sql phrase people think about the sql vulnerability and the are trying to exploit it.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26753.

avatar brianteeman
brianteeman - comment - 10 Jan 2020

@HLeithner @SniperSister Anything we can do here or should it be closed?

avatar SniperSister
SniperSister - comment - 15 Jan 2020

@brianteeman it's not a risk from an SQLi perspective, as the string concatenation in our statements converts a PHP array into the string "Array". This will cause an error message but not allow any further query manipulation.

So it's more a design issue: our Input class (and also the filter classes) by default return arrays as soon as the user input is an array. So, if user supplied input is passed as an array in places where the developer doesn't expect that to happen, we see exactly this type of errors.

A proper fix would be to make the array retrieval optional, so developer have to specifically enable it - however that's a huge b/c break and therefore a no-go at least for Joomla 3. For 4.x it would require a rather massive change across the codebase as we would have to check and potentially adjust every jinput call.

The alternatives:

  1. Fix specific errors once they are reported
  2. Ignore these issues in general
avatar brianteeman
brianteeman - comment - 15 Jan 2020

Thanks @SniperSister I will leave it up to maintainers to make a decision

avatar HLeithner
HLeithner - comment - 31 Mar 2020

This issue should be fixed with #28481 closing it.

avatar HLeithner HLeithner - change - 31 Mar 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-03-31 18:45:06
Closed_By HLeithner
avatar HLeithner HLeithner - close - 31 Mar 2020
avatar HLeithner
HLeithner - comment - 31 Mar 2020

@roussis could you please test the mentioned pr?

avatar roussis
roussis - comment - 12 Apr 2021

@roussis could you please test the mentioned pr?

It is the same result.
https://www.joomla.org/index.php/component/users?Itemid%5B%5D

Add a Comment

Login with GitHub to post a comment