Joomla! Issue Tracker | Joomla! CMS #36889 - [4.1] Components pass database table prefix to user activity log

No Code Attached Yet

Closed
3 Mar 2022
Medium
Build: 4.1-dev
# 36889

Kostelano
29 Jan 2022

Steps to reproduce the issue

Components pass the database table prefix to the user activity log. Probably not worth doing.

To reproduce the problem, just play with the task scheduler component in the plan to create / execute / unlock the task, then look in the action log, having previously checked the scheduler component in the action log settings (by the way, if I don’t confuse anything from memory, this is the only DISABLED component in the action log after installing Joomla).

Localhost, PHP 7.2, MariaDB 10.3, One of the latest nightly builds of Joomla 4.1.

Kostelano - open - 29 Jan 2022

joomla-cms-bot - change - 29 Jan 2022

Labels

Added: No Code Attached Yet

joomla-cms-bot - labeled - 29 Jan 2022

cronlabspl - comment - 29 Jan 2022

this should not be done

May you elaborate as of why this shouldnt be done?

Kostelano - comment - 29 Jan 2022

I wrote carefully :)

Probably, this should not be done, given that this has never been noticed in the work of other components.

At first glance, it's hard for me to imagine a situation with a security breach, even if NOT a super administrator (but just an administrator) knows the prefix of the database tables.

I think that more experienced developers will be able to appreciate this behavior. If I'm wrong, just close.

brianteeman - comment - 29 Jan 2022

You are correct it should not show the prefix

Quy - comment - 30 Jan 2022

I am unable to replicate. Please provide steps to reproduce.

brianteeman - comment - 30 Jan 2022

From your screenshot it looks odd because there are 4 logs of a checkin and only one of those does not have the prefix removed.

Kostelano - change - 30 Jan 2022

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2022-01-30 09:46:25
Closed_By		⇒	Kostelano

Kostelano - close - 30 Jan 2022

Kostelano - comment - 30 Jan 2022

Hmmm, now I have the prefix displayed in any component, not just the scheduler. I have not yet determined what sequence in the Joomla control panel should be done to get this behavior.

I'll close this for now.

heelc29 - comment - 13 Feb 2022

@Kostelano Can you reopen please. I can replicate it.

Check-in via buttons (close) or lock icon works fine

Check-in via Global Check-in not

Actionslogs:

Also, it's not specific to task scheduler. I've tested it with the contact component.

Kostelano - change - 13 Feb 2022

Status	Closed	⇒	New
Closed_Date	2022-01-30 09:46:25	⇒
Closed_By	Kostelano	⇒

Kostelano - reopen - 13 Feb 2022

Kostelano - comment - 13 Feb 2022

@heelc29 opened. Yes, I agree, this does not apply to the scheduler, it just happened initially that I caught the problem with it.

I will rename the problem.

Kostelano - change - 13 Feb 2022

Title

…

[4.1] ~~Task Scheduler passe~~s database table prefix to user activity log

[4.1] Components pass database table prefix to user activity log

Kostelano - edited - 13 Feb 2022

Kostelano - change - 13 Feb 2022

The description was changed

Kostelano - edited - 13 Feb 2022

brianteeman - comment - 3 Mar 2022

Please test #37198

Kostelano - change - 3 Mar 2022

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2022-03-03 18:07:06
Closed_By		⇒	Kostelano

Kostelano - close - 3 Mar 2022

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#36889] - [4.1] Components pass database table prefix to user activity log

Steps to reproduce the issue

Add a Comment