[#30908] - [3.9] [4.0] Allow creating or renaming of .min.css files
- Closed
- 28 Aug 2022
- Medium
- Build: staging
- # 30908
Is your feature request related to a problem? Please describe.
This applies to both J3.9x and J4B5. I haven't listed it as a bug as it's obviously been around for a while.
There may be a good reason for it, but if you try to create or rename a file that contains two full stops (periods/dots) - e.g. oldfile.min.css - this is not possible within the "Templates: Customised (name of template)" area.
Instead, you get this message:
"Invalid file name. Please choose a file name with a-z, A-Z, 0-9, - and _."
Joomla 3x
Joomla 4B
The only way to amend or create files with this naming structure is to either amend it via the domain's control panel file manager or amend/upload them via FTP. It's quite likely that users with access to the file editor within Joomla may not have access to the domain's control panel or file manager or access via FTP.
EDIT: It is possible to upload a file with a name such as newfile.min.css using the template editor upload facility:
(But I also notice that the 'Close' button doesn't close the popup. Only X at top right or Esc key on keyboard works).
Describe the solution you'd like
Allow the saving of file names with extra full stops within the Joomla editor.
Additional context
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
Do you have in mind what security issue @brianteeman ?
yes
ok please send the details to me so i can have a look. maybe we find a way to still allow .min.css fieles
Not related to that issue at all
I see no security reason to not allow . in the name in this case. maybe limit it to not the first character and not 2 dots after each other but in the end you can upload php files to every security here is only cosmetic.
Beside that it's maybe better to add .min.css and .min.js as extension, the template editor is for changing some template files so it has a limited scope and shouldn't be a full featured file manager (my opinion).
It is a security issue. It was addressed by the JSST at the time (2013 iirc) for some additional publicly available info see the comments here when a bug in that security fix was addressed #2739 (comment)
you can upload a .php file, now tell me that a . in the filename is a bigger security issue.
I dont debate security issues in public. The double file extension is a well known vulnerability.
so simple solution. all abc.min.css abc.min.js etc. not just any old abc.xyz.123
Please close as we have a pull request
alikon
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-08-28 09:59:32 |
| Closed_By | ⇒ | alikon | |
| Labels |
Added:
No Code Attached Yet
Removed: ? |
||
This was originally put in place to address a security issue