PR-staging ?

Pending

User tests: Successful: Unsuccessful:

avatar PhilETaylor
PhilETaylor
14 Apr 2021

Summary of Changes

Joomla 3.9.26 had last min security fixes added to it by the JSST

One of these security issues was not fixed in all places.

This commit 6c7b17c#diff-36647192855b2ef14c990918bb56b4da7ac2d012fece3b98f3090d95fcd3abe2R44 also needs to be made to the offline.php file.

Thanks to @C-Lodder for reporting.

avatar PhilETaylor PhilETaylor - open - 14 Apr 2021
avatar PhilETaylor PhilETaylor - change - 14 Apr 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 14 Apr 2021
Category Front End Templates (site)
avatar PhilETaylor PhilETaylor - change - 14 Apr 2021
The description was changed
avatar PhilETaylor PhilETaylor - edited - 14 Apr 2021
avatar ChristineWk
ChristineWk - comment - 14 Apr 2021

Will this be fixed in the next version or will there be a new update package? Of course, you can (for the time being) temporarily exchange relevant code.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.

avatar PhilETaylor
PhilETaylor - comment - 14 Apr 2021

Will this be fixed in the next version or will there be a new update package?

Not my decision. Just another sloppy JSST security fix :-(

avatar dgrammatiko
dgrammatiko - comment - 14 Apr 2021

Out of curiosity why is this a security problem or even a problem at all?

Template editing is allowed only from Super Users. Also, this field accepts only a URL path, so I find this extremely weird that a superuser decides to alter the logo and inject faulty code. Or it's just me...

avatar PhilETaylor
PhilETaylor - comment - 14 Apr 2021

Ask the @joomla/security JSST team. Im not part of that team. Im not privileged to see the original reports.

I know as much as everyone else - and that is its "Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages" as per https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html

avatar joomdonation
joomdonation - comment - 14 Apr 2021

@dgrammatiko I was about asking the same question myself. Don't we trust super users anymore ?

avatar dgrammatiko
dgrammatiko - comment - 14 Apr 2021

@PhilETaylor I'm not trying to blame you here, just to understand why this is treated as insecure

Edit also why there's no validator/sanitiser for media field: https://github.com/joomla/joomla-cms/tree/staging/libraries/src/Form/Rule

avatar sandewt sandewt - test_item - 15 Apr 2021 - Tested successfully
avatar sandewt
sandewt - comment - 15 Apr 2021

I have tested this item successfully on c305311


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.

avatar sandewt
sandewt - comment - 15 Apr 2021

Why has htmlspecialchars($this->params->get('sitetitle')) (also line 82) no ENT_QUOTES or ENT_COMPAT ?
In other places this is done in the Joomla code !


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.

avatar PhilETaylor
PhilETaylor - comment - 15 Apr 2021

@sandewt your comment is unrelated to this PR.

ENT_COMPAT is the default value of $flags https://www.php.net/htmlspecialchars

avatar sandewt
sandewt - comment - 15 Apr 2021

@sandewt your comment is unrelated to this PR.

Right.

ENT_COMPAT is the default value of $flags https://www.php.net/htmlspecialchars

Of course supplemented with UTF8

avatar alikon alikon - test_item - 15 Apr 2021 - Tested successfully
avatar alikon
alikon - comment - 15 Apr 2021

I have tested this item successfully on c305311


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.

avatar alikon alikon - change - 15 Apr 2021
Status Pending Ready to Commit
avatar alikon
alikon - comment - 15 Apr 2021

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33128.

avatar rdeutz rdeutz - close - 16 Apr 2021
avatar rdeutz rdeutz - merge - 16 Apr 2021
avatar rdeutz rdeutz - change - 16 Apr 2021
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2021-04-16 07:52:42
Closed_By rdeutz
Labels Added: PR-staging ?

Add a Comment

Login with GitHub to post a comment