User tests: Successful: Unsuccessful:
Pull Request for Issue #32490 .
The legacy router used in 3.9 and used in 4.0 allows for Search Engine URL forgeries (see #32490) for the impact of this (business) vulnerability.
This PR introduces a toggle with which the legacy router can be toggles from Loose Mode (current dfault mode) to Strict mode.
Loose Mode will parse an URL based on Article ID only, this maks it possible to add any (discriminating) text to the URL and 'feed' that to e.g. Google and will show up in the search results for your site
Strict Mode requires the ID and Alias match. If no match, a 404 will be produced (same is in the Modern Router)
This PR is a POC and when correct can be ported to other core components with the Legacy Router 'flaw'
Install this PR
In article option tab integration switch Remove IDs from URLs to 'No' > enabling the Legacy Router
Leave the setting Strict Mode in its default value (Loose)
[A] Test:
Set config parameter Strict Mode to 'Strict'
[B]Repeat test above
[A]: 1 > Your Modules page in displayed
[A]: 2 > Your Modules page is displayed (note: the non-existing / fake url will be indexed by Google because it resolves okay and as such will show in your sites search results)
[B]: 1> Your Modules page is displayed
[B]: 2 > a 404 is thrown wich is the correct behavior as this page doesn't exist and should NEVER resolve okay!
Maybe an alert should be shown (in the face of the site maintainer) when switching strict mode to Loose that will inform him/her of the risks involved
Status | New | ⇒ | Pending |
Category | ⇒ | Administration com_content Language & Strings Front End |
@brianteeman because when I do a J3 everybody asks why not J4... #lol
This can easily be 'backported' to 3 (and if accepted should) but since all dev and test attention is currently on 4 I did it for 4 first.
because 4 also has this issue as you can see :)
With this url: http://localhost/j4test/index.php/en/blog/5-dont-do-any-business-with-me-because-i-suck in strict mode I get a 404 page but I also get a call stack starting JROOT/libraries/src/Router/Router.php:153
Also after applying the patch, first page load gave an error page for the good url - but not reproducable.
Labels |
Added:
?
?
|
I personally see it as a feature to have the id in the url because if you change the alias it link still exists.
Redirecting to the right url would be make sense.
@HLeithner , thanks for your review. as for the comment above: That would be indeed a feature and not a 'fix' what this PR does.
If you do a redirect and not like now (without this PR) just show a page with the same article id, that would be a b/c as the a redirect is not the same as a 404 / 200
With this url: http://localhost/j4test/index.php/en/blog/5-dont-do-any-business-with-me-because-i-suck in strict mode I get a 404 page but I also get a call stack starting JROOT/libraries/src/Router/Router.php:153
Also after applying the patch, first page load gave an error page for the good url - but not reproducable.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32500.
Hi @ceford thanks for testing, I cannot reproduce what you reported, also when looking at the code in line 153 (where the exception was thrown to show the 404 page) I do not see how that could produce a callstack on screen
@HLeithner , thanks for your review. as for the comment above: That would be indeed a feature and not a 'fix' what this PR does.
If you do a redirect and not like now (without this PR) just show a page with the same article id, that would be a b/c as the a redirect is not the same as a 404 / 200
My suggest is to make it a 3 way field, do nothing, make redirect, send 404.
I did a new install (clone) a couple of days ago and I have just merged the latest updates. I did install Multi-lingual sample data and have now used the correct article id: http://localhost/j4test/index.php/en/sample-layouts/category-list/9-dont-do-any-business-with-me-because-i-suck but the result is the same. I get a 404 Error page and then the stack trace. I have Error reporting set to Maximum. Maybe that is normal - I just don't remember it that way.
My suggest is to make it a 3 way field, do nothing, make redirect, send 404.
I will not do redirect in this PR. This PR needs to be also back-ported to 3.9 / 3.10 and that is not possible with new functionality.
I suggest making a separate PR for new functionality, also because this requires changes on a complete different level then the B/C 'safe' changes here
Category | Administration com_content Language & Strings Front End | ⇒ | Administration com_content Language & Strings Front End Templates (site) NPM Change |
@HLeithner and @Quy done changes as requested, did you test?
Also in last commit some css files where changed, no idea where these come from and how they ended up in my repo, must have done something wrong. no clue as how to fix that other then start all over again (which I wont) So if somebody could help a hand, that would be appreciated
Title |
|
closing due to there being no interest in this solution, reopening original issue as the issue is not solved
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-03-22 17:55:07 |
Closed_By | ⇒ | Ruud68 | |
Labels |
Added:
NPM Resource Changed
?
|
Sorry but thats just pathetic closing this. Re-opening the issue when you already have a proposed fix is not very sensible.
No one tested this as you didnt bother to respond to the request for updates.
Why is this PR for J4? I would have expected it to be first committed to J3