User tests: Successful: Unsuccessful:
Code review
Actually a security issue fix too as the filters were not being applied.
Status | New | ⇒ | Pending |
Category | ⇒ | Unit Tests Repository Administration com_admin SQL Postgresql com_config com_contact com_content com_finder com_installer com_media NPM Change JavaScript |
Labels |
Added:
?
?
NPM Resource Changed
|
Category | Unit Tests Repository Administration com_admin SQL Postgresql com_config com_contact com_content com_finder com_installer com_media NPM Change JavaScript | ⇒ |
Labels |
Added:
?
Removed: ? NPM Resource Changed |
Title |
|
Actually a security issue fix too as the filters were not being applied.
Note: If you don't specify this parameter then a default of "cmd" is used. See https://docs.joomla.org/Retrieving_request_data_using_JInput
You fail to understand that the code as is currently is wrong with the method params in the wrong place completely - this is what this PR fixes
line 50 is out of scope of this PR as it is not suffering from the problem this PR seeks to resolve.
Really missed me.
I have tested this item
Not much about security, a default filter is cmd
.
So even with such typo it still was safe
Well you believe what you want then. Applying the wrong filter, assuming that you are applying a different filter, to unsanitized user supplied input, is a security issue, regardless if it can be exploited or not.
Input filtering is not about type casting - it’s about sanitising user input. That has everything to do with security.
It’s just another example of shocking code quality that that has apparently had two human tests and a maintainer review before being merged. Any IDE would point out that it was wrong.
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-01-31 17:34:42 |
Closed_By | ⇒ | bembelimen | |
Labels |
Added:
?
Removed: ? |
Thx
See line 50:
$requestBool = $this->input->get('core', $this->input->get->get('core'));
Why not change this?
$requestBool = $this->input->get('core', $this->input->get->get('core', null, 'BOOLEAN');
null = ? => false or true ??