? Success

User tests: Successful: Unsuccessful:

avatar fcoulter
fcoulter
15 Apr 2014

Prevents security issue where $file can be an empty string or directory path. If that happens the deletion fails but the directory is left writeable with 0777 permissions. If $file is empty then this is interpreted by chmod as the current director, so root folder of Joomla site is left writeable.

avatar fcoulter fcoulter - open - 15 Apr 2014
avatar Bakual
Bakual - comment - 15 Apr 2014

For testers: http://www.spiralscripts.co.uk/Joomla-Tips/nasty-trap-lurking-within-joomla-jfile-class.html has some good writeup of this bug and also explains how to reproduce it.

In short: Use

$file = '';
JFile::delete($file);

@fcoulter Thanks for the PR. It's very appreciated! I saw some minor codestyle issues which I'm going to add notes to the lines. It would be cool if you can update the PR with that then.

avatar zero-24 zero-24 - reference | - 15 Apr 14
avatar fcoulter
fcoulter - comment - 15 Apr 2014

OK, I have made the requested style changes.

avatar Bakual
Bakual - comment - 15 Apr 2014

Perfect :+1:

avatar wilsonge
wilsonge - comment - 15 Apr 2014

Would it be better to do this check after the JPath::clean() because that's the actual final file path that will try to be deleted

avatar zero-24 zero-24 - reference | - 15 Apr 14
avatar Bakual
Bakual - comment - 15 Apr 2014

Would it be better to do this check after the JPath::clean() because that's the actual final file path that will try to be deleted

I agree that this would make sense. :+1:

avatar fcoulter
fcoulter - comment - 15 Apr 2014

I was going on the assumption that putting it first saves the call to JPath::clean() which doesn't actually do a whole lot that would make a big difference (except clear up possible problems with directory separator), but actually I have no objection to putting it after.that call.

avatar fcoulter
fcoulter - comment - 15 Apr 2014

Change is made.

avatar mbabker mbabker - reference | f93b85f - 24 Apr 14
avatar mbabker mbabker - merge - 24 Apr 2014
avatar mbabker mbabker - close - 24 Apr 2014
avatar mbabker mbabker - change - 24 Apr 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-04-24 21:31:39
avatar mbabker mbabker - close - 24 Apr 2014
avatar Bakual Bakual - reference | 1ddc466 - 12 May 14

Add a Comment

Login with GitHub to post a comment