This was raised to the JSST team [Ticket#28632] which responded with:

Discussed this with the team. We had a similar discussion about media input fields a while ago where you have been involved, which has been closed as a "won't fix" after a longer discussion where various legit edge cases for query parameters and path traversals have been mentioned, so the same applies here.

Therefore Im forced to raise this issue here for wider discussion.

Steps to reproduce the issue

Joomla 4.0.0 beta 1
Install sample data
Login to frontend as admin
Click Template Settings
Right click and inspect the LOGO image path

<input type="text" name="params[logoFile]" id="params_logoFile" value="http://evil.com/hack.txt?a=12" readonly="readonly" class="form-control field-media-input valid”>

Change the value to anything you want and remove the readonly attribute

save

Note that the image in the top of the page now has your evil string appended to the domain name

The fact is I should not be able to manually set that url to anything other than a valid image file in rooted in the base path configured in the media settings.

Yes I know Im logged in as a super admin, but that should not matter, hackers are cleverer than me.

I can save http://evil.com/hack.txt?a=12

I could save /images/validimage.jpg?url=http://evil.com/hack.txt too - and I know that without “something else” this is not an executable url, but still, I should not be able to manually set the template logo to anything other than a valid image with no query string.

The field should be validated against the files on the hard disk, chrooted by the folders listed in the media filesystem plugin, and if the file doesn’t exist then it should be rejected.

Expected result

Its a select field - it should only accept values that can be selected.

The only valid values that can be submitted and stored are those generated by the media manager and prefilled on closing the modal.

The selection should be restricted to the new filesystem plugin which provides the only places that the media manager can consume and restricts the media manager from any access outside of defined folders.

Actual result

I can inject all kinds of things into this field.