[#29877] - Add "accept" attribute to the upload file input element of com_joomlaupdate's Upload & Update tab
- Closed
- 2 Jul 2020
- Medium
- Build: staging
- # 29877
- Diff
- richard67:staging-use-accept-attribute-for-file-input-joomlaupdate
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #29763 (partly).
Summary of Changes
This Pull Request (PR) adds the "accept" attribute to the file field of the Joomla Update Component's Upload & Update tab so that only zip files with mime type "application/zip" are selectable.
Only zip because currently the Joomla Update Component only supports that packing format for Upload & Update, see also the discussion in comments below. No idea what the other update packages (tar.gz, tar.bz2) are good for. There is no update from folder option or update channel for which they could be used.
Important: This is NOT a security fix, it only shall make it harder to accidently select the wrong file for upload.
See the following description on https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/accept:
The accept attribute doesn't validate the types of the selected files; it simply provides hints for browsers to guide users towards selecting the correct file types. It is still possible (in most cases) for users to toggle an option in the file chooser that makes it possible to override this and select any file they wish, and then choose incorrect file types.
Because of this, you should make sure that expected requirement is validated server-side.
I will work on these server-side validations and provide a separate PR.
Browser support see https://caniuse.com/#feat=input-file-accept.
Testing Instructions
-
On a clean current staging or recent 3.9 nightly build or a 3.9.19, login to backend and go to "Components -> Joomla Update".
-
Go to the "Upload & Update" tab and use the button right beside "Joomla package file" to select a file for upload.
Result: See section "Actual result BEFORE applying this Pull Request" below. -
Apply the patch of this PR.
-
Repeat step 2.
Result: See section "Expected result AFTER applying this Pull Request" below.
Actual result BEFORE applying this Pull Request
A browser dialogue opens which allows you to select a file. It shows all kinds of files in the currently active folder. There is no filter for zip files only.
E.g. on Firefox 77.0.1 (64-Bit) for Windows:
Expected result AFTER applying this Pull Request
A browser dialogue opens which allows you to select a file. Depending on your browser it limits the files being shown to zip files.
E.g. on Firefox 77.0.1 (64-Bit) for Windows:
Documentation Changes Required
None, I think.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_joomlaupdate |
@Quy No. These don't work with Upload & Update. They are meant to be used for manual upload and unpack into an empty folder and use the folder update channel. Update: That was for the extension installer. The Joomla Update Component currently can't use tar.gz or a tar.bz2 files in any way.
Thanks. Why offer those other formats?
Thanks. Why offer those other formats?
This is a question someone else has to answer, but it is a good question ;-)
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29877.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29877.
Merging here thanks @richard67 and @Quy and @degobbis for testing.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-07-02 22:22:33 |
| Closed_By | ⇒ | Quy |
You have to include the other 2 options found here:
https://github.com/joomla/joomla-cms/releases