[#32595] - On postflight on extension install not possible anymore to do a redirect
- Closed
- 2 Aug 2021
- Medium
- Build: staging
- # 32595
Steps to reproduce the issue
Install Kunena 5.2.x on clean install of J!3.9.25, you will see in a modal the following error and the isntallation of component is interupted :
Installing Kunena... jQuery('#kunena-modal').remove().prependTo('body').modal({backdrop: 'static', keyboard: false, remote: '/.../administrator/index.php?option=com_kunena&view=install&format=raw'}) Installation of the package was successful.
This is work on J!3.9.24 and previous, it's broken since J!3.9.25. The part of code related is : https://github.com/Kunena/Kunena-Forum/blob/5.2.2/src/install.php#L184
Expected result
The javascript should be used to redirect the use to continue the installation of component
Actual result
The user see the error message in modal and need to open the menu of Kunena to make the end installation
System information (as much as possible)
Php 7.4.x
Additional comments
joomla-cms-bot
- | Labels |
Added:
?
|
||
btw. you should really not depend on redirect after install or update. In j4 we have the possibility to install extensions with the cli without gui so it would break this feature.
Just saying because you do the redirect in j4 using the api. What's on the redirected page? configuration or other automated tasks?
Expected result
The javascript should be used to redirect the use to continue the installation of component
That is not the expected behavior but a potential XSS attack vector and therefore was changed in 3.9.25.
Just saying because you do the redirect in j4 using the api. What's on the redirected page? configuration or other automated tasks?
The redirected page show a progress bar to the user. If it fails at some point, there is the error diplayed below the progress bar. There isn't configuration options
Share the XSS vector then. Joomla\CMS\Application\CMSApplication::enqueueMessage() is internal API that does not receive user input. So the only practical XSS vector is some extension possibly not filtering their input and passing that data into the API. This is basically an artificial limitation for the sake of limitations and equivalent of saying "an administrator can input HTML into their article body which contains malicious JavaScript therefore we removed the ability to input HTML into article bodies".
btw. you should really not depend on redirect after install or update. In j4 we have the possibility to install extensions with the cli without gui so it would break this feature.
And some "third party management services" have been spending years having to work around extensions that hijack the install and update process and hard redirect to other places... at least if its in Javascript it can be ignored until all PHP System Plugins have run, rather than using $mainframe->redirect() or $app->redirect() or similar in PHP code and exit-ing :-)
if i understand the discussion correct the issue is expected behavior (#32595 (comment))
This should be closed as its the expected behaviour of Joomla to mitigate a reported security issue. Plus, putting Javascript in messages is really evil - Joomla has a way to allow 3pd to redirect after installation (and if it doesn't work, report it and it will be fixed)
This should be closed. The question has been asked and the explanation given. There is zero chance of that change being reverted as it is security related.
alikon
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-08-02 08:53:44 |
| Closed_By | ⇒ | alikon |
Yes it seems you are passing JS to the message box that is nowdays not allowed any more. Would be better to load the JS independed from the message (that should just be text without any JS)