[#29656] - [4.0] `&tmpl=MadeUpName` renders plain html
- Closed
- 17 Jun 2020
- Medium
- Build: staging
- # 29656
Steps to reproduce the issue
Joomla 4 admin load a url like:
http://127.0.0.1:8400/administrator/index.php?option=com_content&view=articles
note that looks like unicorns and rainbows love it to bits.
Append &tmpl=component
note that looks like unicorns and rainbows love it to bits.
Make a typo in &tmpl=component like
http://127.0.0.1:8400/administrator/index.php?option=com_content&view=articles&tmpl= MadeUpName
Expected result
Error message saying that MadeUpName is not a valid value for tmpl
Actual result
Note
edit: Joomla 3 affected too it seems
joomla-cms-bot
- | Labels |
Added:
?
|
||
So the fix then is to validate the value against valid filenames and remove the final fall back to system/index.php ?
A B/C break for sure, so best done now at Joomla 4.0.0 ?
or a complete won't fix by not adding any validation to user supplied input?
I don't know...
For the sake of completeness, the last two fallback steps:
https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Document/HtmlDocument.php#L699-L733
Well at least the user supplied value is having some security filtering on it before being used as a file name ;-) ;-)
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-17 09:22:20 |
| Closed_By | ⇒ | PhilETaylor |
If a
tmpl(=>tmpl.php) doesn't exist inside the current template folder the rendering falls back to templatesystem. If thetmpl.phpdoesn't exist in that folder the rendering falls back tosystem/index.phpwhich includessystem/component.php.It's the same behavior like in Joomla 3. Front-end and back-end.