Files and folders starting with dot didn't pass the regexpr test.

thats good as they are not supposed to

Paging @joomla/security as this was a security fix that is involved here @zero-24 #32076

This should not be merged until reviewed by the JSST.

@brianteeman There is no reason that those files and folders should be ommited. Especially folders. For example ".tmp" makes that folder hidden on Linux, not visible for example through FTP access.

not visible for example through FTP access.

LMAO!!! Yes. They. Are. :-)

@PhilETaylor I know you can switch on to show it, but if you just want to keep your view clean, you can easily hide it with dot.

Also this repo is not the place for changes to libraries/vendor/joomla/filter/src/InputFilter.php

Those should be made in the framework repo at https://github.com/joomla-framework/input

This PR should be closed, and if you really want to propose it, and have it commented on by the @joomla/security team, then https://github.com/joomla-framework/input is the correct place.

or maybe you meant to update this file? libraries/src/Filter/InputFilter.php

libraries/src/Filter/InputFilter.php only calll parent::clean function. To modify it would mean to copy all the code from libraries/vendor/joomla/filter/src/InputFilter.php...

How to get comment from @joomla/security team? Here, or need to be contacted other way?

https://developer.joomla.org/security/contact-the-team.html

Ok, thanks. The PR should be propably made to https://github.com/joomla-framework/filter package, or as you proposed, to 'libraries/src/Filter/InputFilter.php', or maybe directly to Model of Joomla Update component. I contacted security team to review this and give advice.

Generally this is related to issue you mentioned here #32567 but on other place of Joomla.

@n3t Your pull request is wrong for following reasons:

1. Your regular expressions are wrong. They will, in opposite to those in current Joomla 3 code, allow paths like e.g. /some/folder/../../../evil.php on Linux, which means breaking out of the Joomla root. This open a security hole and so cannot be accepted. You can easily very that with one of the many available sites for online execution of preg_match. Just Google for it.
2. Any change has to be made in the https://github.com/joomla-framework/filter repository .

I suggest you open an issue with a feature request in the https://github.com/joomla-framework/filter repository. The feature request should clearly describe your requirement (to be able to use folder and file names starting with a dot).

And please don't contact anymore the SST for discussing this PR via their email for reporting security issues. The form which you have used is ONLY for reporting security issues. @PhilETaylor had already notified the right person in his comment here #33151 (comment) .

@richard67 Thanks for your review, sorry for using contact form, I did it just because asked to. I will raise an issue on framework. Anyway, checking double dots in tmp folder set in configuration.php doesn't bring any real security in Joomla update process, as I can easily go to configuration, and set directly /other/folder/evil.php, which will pass the test as correct path...

@n3t We don't protect a super user from himself (or herself). If you enter such an absolute path in backend you should know what you are doing. There are other ways to manipulate paths than changing in backend.