[#33946] - [4][Security] Do not allow command line to be called from the web
- Fixed in Code Base
- 19 May 2021
- Medium
- Build: 4.0-dev
- # 33946
- Diff
- PhilETaylor:clisecurity
User tests: Successful: Unsuccessful:
Summary of Changes
StackOverflow emailed me this https://joomla.stackexchange.com/questions/29123/cli-directory-is-publicly-accessible-is-it-supposed-to-be-is-that-safe/29181
They were correct, that Joomla 4 did not have any test for CLI use when the scripts were called from the web.
The code proposed is back ported from the Joomla-framework Joomla\Console\Application constructor and so should be "good enough"
Testing Instructions
Go to http://example.com/cli/joomla.php in a web browser.
Actual result BEFORE applying this Pull Request
With debug on/error reporting = maximum
With debug off/error_reporting none
Expected result AFTER applying this Pull Request
White screen of death - which is a good thing.
Documentation Changes Required
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
Just like I stated:
The code proposed is back ported from the Joomla-framework Joomla\Console\Application constructor and so should be "good enough"
It should also be noted that its the same code that is currently used in Joomla 3
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33946.
Just like I stated:
The code proposed is back ported from the Joomla-framework Joomla\Console\Application constructor and so should be "good enough"
^^ ok sorry missed this part, looks strange anyway but ok
Im not saying its perfect, but at least its consistent :)
There are a few uses of php_sapi_name in Joomla 3 but the only use of php_sapi_name in Joomla 4 appears to be in vendor libs.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33946.
perfectible but better than before
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33946.
| Labels |
Added:
?
?
|
||
Previous tests and RTC are still valid since last commit was just a change in a code comment.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-19 22:28:23 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
Removed: ? |
||
Somewhat unconvinced this belongs here vs in the entry file itself for the cli. But better than nothing for sure. easy to move around in the future. Thanks!
its a direct copy of the same code in a constructor in the CliApplication.php
Sure but in that place every CLI app had a different entry point. In J4 the one true way (xD) is that we'll have a single entry point like site/admin is - so should be a bit simpler to manage and less confusing for 3rd party devs who don't need to look at the file. But anyhow it's fine for now
is there a reason why you not simple do
if (\php_sapi_name() === 'cli') {?