Joomla! Issue Tracker | Joomla! CMS #32887 - [3] Ensure that url alias segments correspond to real aliases of articles/categories

? ?

Closed
28 Mar 2021
Medium
Build: staging
# 32887
Diff
PhilETaylor:tighteupurls-withredirect

Pending

User tests: Successful: Unsuccessful:

PhilETaylor
27 Mar 2021

Issue #32490 and many others

Replacement for #32879 as people wanted it implemented in a b/c way

Implements a redirect or 404 option (and Off by default) to satisfy #32880 (comment)

Take it or leave it. This is the third attempt to fix this perceived security issue.

Summary of Changes

This PR attempts to close a long standing issue where you can manipulate Joomla's urls and the router will still work.

This can be easily seen on the official Joomla.org site at:

https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-LALALALALALALLALALALALALA

https://www.joomla.org/announcements/i/HACK/HACKED/YOUR/SITE/YOU/SUCK/5834-LALALALALALALLALALALALALA

Where BLAHBLAHBLAHBLAHBLAHBLAH is a made up category name and LALALALALALALLALALALALALA is a made up article alias.

That fake url still loads the "Joomla 3.9.25 Release" article which has id 5834. It should, IMHO, and in the opinion of others, be a 404, as LALALALALALALLALALALALALA could be Joomla-Sucks or anything else SEO that a hacker wants to use.

Testing Instructions

Enabled SEF and rewrite. (Legacy, not modern)

Create yourself a category tree of lets say three categories (as a real test, you choose how many you want, it should still work), each a child of the last, and then an article (with alias my-article) in the bottom most category

Top Most -> Middle Most -> Bottom Most -> my-article

Visit the home page and you should see the link to My Article in the Latest Articles Module, click it and get a SEF url of

https://example.com/9-top-most/middle-most/bottom-most/3-my-article

Where 9 is the id of my category "Bottom Most" and 3 is the id of My Article (Yours might be different ids)

Actual result BEFORE applying this Pull Request

Before this PR you can manipulate the url and replace one or more of aliases with HHHH like below, these urls STILL WORK:

https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA

Expected result AFTER applying this Pull Request

After this P, when you manipulate the url and replace one or more of aliases with HHHH like below, these urls DONT WORK: and now lead correctly to a 404 page OR THEY REDIRECT depending on your choice in Articles Config

But accessing the full generated url with aliases correct STILL WORKS

https://example.com/9-top-most/middle-most/bottom-most/3-my-article

Documentation Changes Required

This is backward compatible - its off by default.

All the new code is doing is running 2n more queries to validate the aliases provided against either the alias of a category or article with a known id, or in the case of nested categories, that ANY category in the db has the provided alias (nor perfect, I know, but much better than it currently is, and this is only for the Middle Most and Top Most category if there are 3 or more nested categories).

// cc @brianteeman @Ruud68 @Bakual @Hackwar

276c3ca 26 Mar 2021

Ensure that url alias segments correspond to real aliases of articles/categories

7bd7757 27 Mar 2021

Allow optional redirecting if the url aliases are wrong but we can work out the real url

PhilETaylor - open - 27 Mar 2021

PhilETaylor - change - 27 Mar 2021

Status

New

⇒

Pending

joomla-cms-bot - change - 27 Mar 2021

Category

⇒

Administration com_content Language & Strings Front End

PhilETaylor - change - 27 Mar 2021

The description was changed

PhilETaylor - edited - 27 Mar 2021

5c098b0 27 Mar 2021

add missing case.

PhilETaylor - change - 27 Mar 2021

Labels

Added: ? ?

brianteeman - comment - 27 Mar 2021

What happens with exiting redirects?

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32887.}

PhilETaylor - comment - 27 Mar 2021

in plgredirects? those will all still work independently of the changes in this PR.

Bakual - comment - 27 Mar 2021

I actually love this approach. Especially the redirect option - thanks!

One thing to think about: It may be worth using a variable for the result of $params->get('validateslugs', 0) and use the variable then for the various places where you check the parameter.

d040981 27 Mar 2021

Create local variable to reuse

PhilETaylor - comment - 27 Mar 2021

@Bakual Thanks. Good point, I have updated with that.

alikon - test_item - 28 Mar 2021 - Tested successfully

alikon - comment - 28 Mar 2021

I have tested this item ✅ successfully on d040981

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32887.}

PhilETaylor - comment - 28 Mar 2021

Thank you @alikon for taking time to test. Appreciated.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32887.}

HLeithner - comment - 28 Mar 2021

Thanks @PhilETaylor but I don't see this in j3 and as alreadys said no new features for j3

HLeithner - change - 28 Mar 2021

Status	Pending	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2021-03-28 14:59:32
Closed_By		⇒	HLeithner

HLeithner - close - 28 Mar 2021

PhilETaylor - comment - 28 Mar 2021

Well there you have it folks... this confirmed security issue will remain in Joomla 3 forever.

b2z - comment - 2 Apr 2021

Is it relevant for J4?

PhilETaylor - comment - 2 Apr 2021

The issues that are left like this in Joomla 4 relate to the Modern Router are detailed in a separate issue here: #32880

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#32887] - [3] Ensure that url alias segments correspond to real aliases of articles/categories - with redirect option.

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

Add a Comment