[#34236] - [4] filepath form field validation rule doesnt reject invalid folders.
- Closed
- 29 May 2021
- Medium
- Build: staging
- # 34236
Steps to reproduce the issue
Ensure you dont have a folder called ABCDEF in the root of your site.
add validate="filePath" to an xml form field like below
<field
name="attachment_folder"
type="text"
label="COM_MAILS_CONFIG_FIELD_ATTACHMENT_FOLDER_LABEL"
description="COM_MAILS_CONFIG_FIELD_ATTACHMENT_FOLDER_DESC"
size="40"
validate="filePath"
exclude="administrator|api|bin|cache|cli|components|includes|language|layouts|libraries|modules|plugins|templates|tmp"
/>Use that form and enter ABCDEF as the field value.
Expected result
ABCDEF is rejected as it doesnt exist, therefore its an invalid location
Actual result
ABCDEF passes validation.
https://raw.githubusercontent.com/4Hackerz/C99-Shell/master/ passes validation
ftp://example.com passes validation
,http://example.com passes validation
Bonus
Backticks are also accepted in the file path and the following is a valid folder name EDIT (hmm hard to add backticks in GitHub issues, here is an image)
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-29 08:49:00 |
| Closed_By | ⇒ | joomdonation |
| Status | Closed | ⇒ | New |
| Closed_Date | 2021-05-29 08:49:00 | ⇒ | |
| Closed_By | joomdonation | ⇒ |
the path rule do not supposed to check if path exists, but to check if there stuff like blabla/path, that all.
Backticks are also accepted
They are valid in folder name.
Do not see issue here.
Then you probably have not lived long enough and do not understand the point I was making.
In this context it's "probably" ok, however it would be highly frowned upon to use backticks in file names and folder names and anything else that is then evaluated - for example an filtered, and Unescaped, passing to passthur or exec or system as part of a command eg to move a file with mv
And yes, I have seen vulnerable code from 3pd that does exactly this!
yea, but well, you want to much from "filePath" rule
It just to checking if the given string looks like a path, no more no less.
For what you asked it better to create more obvious rule like "pathExist" or something.
It just to checking if the given string looks like a path, no more no less.
there is no point in a validation rule checking just whether something "looks like" something, only to then allow Joomla to go on and use it, even though the path doesn't exist (or worse, creates a security issue later on).
We can talk forever about the "point" . But anyway, we cannot change it, because it changes the behavior.
What we can do is make another rule, that will do what you asked.
The "point" of the FilePathRule is documented as
"Method to test if the file path is valid"
If the folder doesn't exist then THE PATH IS NOT VALID.
Method to test if the file path is valid
Correct, it does not say that "Method to test if the file path is exists".
The string may represent path, or in other words be a valid path string.
As I said, we can talk about it forever.
With your arguments I can start issue why UrlRule does not validate whether URL exist, or EmailRule does not check whether email exist.
Sometimes in an argument you just have to give up and accept the fact that the other person is wrong.
Closing and will reveal my PoC security issue to the JSST instead as it seams people don't have the ability to read between the lines when I post cryptically about security issues.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-29 11:24:31 |
| Closed_By | ⇒ | PhilETaylor |
it seams people don't have the ability to read between the lines
you or me?
I understood what you expected, and what you want, and I suggested a solution.
One more thing.
Let say we have a PathExistsRule, then what it should validate, relative or absolute path?
Because depend from situation it may need one or another.
PR is #34271 . Please test.