[#28452] - Escape return to homepage url in isis and hathor
- Fixed in Code Base
- 14 Apr 2020
- Medium
- Build: staging
- # 28452
- Diff
- zero-24:escape_login
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Summary of Changes
Escape return to homepage url in isis and hathor
Testing Instructions
- install this patch
- make sure the link to homepage still works as expected
Expected result
homepage url is escaped
Actual result
homepage url is not escaped
Documentation Changes Required
none
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration Templates (admin) |
Maybe I'm missing something obvious but it seems to me if you need to escape a Joomla\Uri\UriInterface object that has zero user input whatsoever that there is some security flaw in the URI class chain that needs to be addressed as a security issue. Or are you going to go through the entire CMS now and escape every URL in every <a> and <form> element?
This is the type of issue that requires a clear explanation of the issue that is being fixed, and if applicable with some form of automated test to demonstrate the issue and prevent regression. A drive by patch saying "I want to escape this URL in these spots" isn't explaining any issue or why the change is necessary.
Or are you going to go through the entire CMS now and escape every URL in every and
element?
No. I just wanted to patch this login.php files.
Maybe I'm missing something obvious but it seems to me if you need to escape a Joomla\Uri\UriInterface object that has zero user input whatsoever that there is some security flaw in the URI class chain that needs to be addressed as a security issue.
Agree it is not the case here just rips who complained about it and well even when we have no direct exploit does it hurt? And the theorethical issue of Uri beeing broken, having it broken on the login page would be less ideal :D
A drive by patch saying "I want to escape this URL in these spots" isn't explaining any issue or why the change is necessary.
Well there is no hidden reason behind that PR just to add escaping like mention above.
What does "retrun" mean in title and description? ;-)
It is the retrun to homepage url :D
"retrun" or "return"?
| Title |
|
||||||
return i do to many things at once :D
I have tested this item
Installed the patch and the upper right link to the Frontend still works in backend.
Please correct if I misunderstood the instructions.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28452.
Thanks @coolcat-creations
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28452.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
?
?
|
||
I don't think that this PR is useful but if rips is happy then it's ok for me... Thanks
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-04-14 15:20:09 |
| Closed_By | ⇒ | HLeithner | |
| Labels | |||
What does "retrun" mean in title and description? ;-)