[#33282] - [5.0] Enforce Strict parsing for both article and category alias …
- Closed
- 10 Jan 2023
- Medium
- Build: 4.0-dev
- # 33282
- Diff
- Ruud68:strictrouter
User tests: Successful: Unsuccessful:
Pull Request for Issue #32490 .
Summary of Changes
The router used in 3.9 and used in 4.0 allows for Search Engine URL forgeries (see #32490) for the impact of this (business) vulnerability.
This PR enforces the ID and Alias in the URL to match. If no match, a 404 will be produced (same as in the Modern Router)
This PR is a redo of #32500 (it now also checks the category alias), after several attempted PR's by @PhilETaylor and discussions on these PRs (#32880 #33270 #32879 #32490 and probably missing some) .
In the discussions the preference was shown to fix this in the router, which this PR does.
Testing Instructions
In article option tab integration switch Remove IDs from URLs to 'No'
Testing instructions are for com_content, but should be repeated with com_contact and com_newsfeeds
[A] Test:
- open on the front-end [yourdomain]/index.php/blog/5-your-modules
- open on the front-end [yourdomain]/index.php/blog/5-dont-do-any-business-with-me-because-i-suck
Install this PR
[B]Repeat test above
Actual result BEFORE applying this Pull Request
[A]: 1 > Your Modules page in displayed
[A]: 2 > Your Modules page is displayed (note: the non-existing / fake URL will be indexed by Google because it resolves okay and as such will show in your sites search results)
Expected result AFTER applying this Pull Request
[B]: 1> Your Modules page is displayed
[B]: 2 > a 404 is thrown which is the correct behavior as this page doesn't exist and should NEVER resolve okay!
Documentation Changes Required
cc: @PhilETaylor @Hackwar
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_content Language & Strings Front End |
There is no legacy router in 4.0 anymore. And as I said, please remove the config option for this. Either we enforce this all the time or we don't add this at all. We also need this for every core component, not just com_content.
There is a reason I made the toggle as when you come from 3.9 > 3.10 > 4.0 there is a incompatibility in the build URL's (switching to with ID in J4 will not fix that). This toggle gives the user a way out of not being able to migrate. current default is 'Loose', but that could of course also be 'Strict'
As for the other components: yes of course, first 'proof' this 'concept' before putting a lot of time in redoing etc.
Again, this change here has no influence on that build part. People will have to come up with a migration strategy for their URLs anyway, regardless of your change here. The alias should be identical in both 3.x and 4.0.
Again, this change here has no influence on that build part. People will have to come up with a migration strategy for their URLs anyway, regardless of your change here. The alias should be identical in both 3.x and 4.0.
The alias is identical, the rest isn't always identical. I am trying to make the migration to 4 as easy as possible, I believe this switch helps, but I agree that when moving forward people should switch their sites to the 'modern' with NO id's URLs. IMO They should have done that already when the modern router was introduced.
That said: I will remove it (will make the code even simpler :)), but know that without this toggle certain URL's that resolved okay before this PR will then give a 404
infograf768
- | Title |
|
||||||
For the category part, you can simply replace that one check from $child->id == (int) $segment to $child->id . ':' . $child->alias == $segment
| Labels |
Added:
?
?
|
||
| Category | Administration com_content Language & Strings Front End | ⇒ | Front End com_content |
| Title |
|
||||||
For the category part, you can simply replace that one check from
$child->id == (int) $segmentto$child->id . ':' . $child->alias == $segment
PR is updated now
| Labels |
Removed:
?
|
||
Please also add the other components here as well.
| Category | com_content Front End | ⇒ | Front End com_contact com_content com_newsfeeds |
Please also add the other components here as well.
done
I'm not sure with this hardcore version. IIRC the last version had an option to redirect wrong alias to the correct uri.
I would really like to see this version as an option. I'm not sure how many urls get changed with the "new" router. So it would better to have the possibility to redirect a wrong alias to the correct right alias.
I'm not sure with this hardcore version. IIRC the last version had an option to redirect wrong alias to the correct uri.
I would really like to see this version as an option. I'm not sure how many urls get changed with the "new" router. So it would better to have the possibility to redirect a wrong alias to the correct right alias.
I have removed it as requested by @Hackwar
as for the url changing, I have tested upgrading huge site (90000 articles, 1300 categories) from 3.9 (with legacy router) to 3.10 to 4.0. Even when 4.0 is set with ID in the URl, the URLs change. So either way, this is going to be potentially 'dramatic' to migrate.
When doing the redirects to correct this when upgrading to 4.0 then people are best of to do the 'extra' step to disable the ID in the URL altogether.
@Hackwar can you advise?
| Labels |
Added:
?
Information Required
Removed: ? |
||
This pull request has automatically rebased to 4.2-dev.
This pull requests has been automatically converted to the PSR-12 coding standard.
| Title |
|
||||||
| Labels |
Added:
?
?
Removed: ? |
||
I looked through this again and I fear we are to late to merge this into 4.x. This is going to be a change which will still break some peoples sites and thus we can't merge it into 4.2 or 4.3. So unfortunately 5.0 it is.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-01-10 10:01:47 |
| Closed_By | ⇒ | Ruud68 | |
| Labels |
Added:
PR-5.0-dev
Removed: ? ? |
||
There is no legacy router in 4.0 anymore. And as I said, please remove the config option for this. Either we enforce this all the time or we don't add this at all. We also need this for every core component, not just com_content.