[#38615] - [4.2][Security] Re-add jexec or die
- Fixed in Code Base
- 28 Aug 2022
- Medium
- Build: 4.2-dev
- # 38615
- Diff
- HLeithner:fix/or-die
User tests: Successful: Unsuccessful:
As part of the PSR-12 pull request I removed almost all checks for directly directly executing files which only includes symbol definitions (functions, classes, interfaces...). This has been done to fit the PSR1.Files.SideEffects.FoundWithSymbols rule.
Sadly I assumed the coding standard would also take security serious (in this case path disclosure).
I only thought about the security aspect of directly executing code with may using input parameters provided by an attacker. Which actually would be mitigated because no code is directly execute if you only define classes or functions.
The path disclosure is normally not a problem because in production you should not have error reporting "on" and in such case you don't expose any error messages including "class not found in file".
Never the less Joomla sees this information disclose as security issue and try to save the user for miss configured webhosts.
A simple demonstration:
class a extends \Joomla\CMS\MVC\Model\AdminModel {}This simple code would thru the following error message if you directly open the file with the webbrowser:
Fatal error: Uncaught Error: Class 'Joomla\CMS\MVC\Model\AdminModel' not found in /web//a.php:1
Stack trace: #0 {main} thrown in /web//a.php on line 1
The reason that the class can't be found is because no autoloader has been defined in this file.
At a future release we maybe can remove this statements if we are able to move the cms files out of the webserver scope but that's another story and have to be evaluated when we are at this point.
I want to thank @SharkyKZ notifying me about this issue.
/cc @nikosdion Your MFA PR didn't have defined die this PR adds them, you maybe want's to have a look.
I apologies for the inconvenience caused.
Summary of Changes
Added a script which checks all files changed in the PSR-12 PR and readd the same constent used before back into the current version of the file.
Also some additional files have been checked and defined die statements have been added.
New checks have the following pattern:
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffectsI exclude this statement from the phpcs check because it's likely we will remove this side effect completely and introduce a new check which will force defined die to all files (except it's disabled in the file).
I also used the namespace version of this command even if not needed because it makes copy paste easier and doesn't hurt.
I also decided to keep the or operator instead of the || format because it's easier to read for non programmers (and this form is used for ever).
To be more in sync with the rest of the php world I moved the statement after the last use statement.
Testing Instructions
Install the CMS and test everything.
PHPCS and Unittests do some basic checking.
Actual result BEFORE applying this Pull Request
Path disclosure is possible on not proper configured webhosts
Expected result AFTER applying this Pull Request
Path disclosure is no longer possible again.
Documentation Changes Required
Should be mentioned in the programmers documentation
Further TODOs
After the release of 4.2.1 I will write a PR to get all other defined die in sync with this pr (moving below use, using \defined and try to get rid of defined('JPATH_PLATFORM').
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_admin |
@HLeithner Yeah, even though my original code did have the JEXEC or die statements I removed them because you guys told me that using strict PSR-12 was the way forward. Remember, my PR was taking place around the same time so I configured phpStorm to use PHP-CS with strict PSR-12 compliance.
I also saw the same problem with path disclosures when the default PHP error reporting is on (which is the default value in cPanel and Plesk, as well as virtually all Linux distributions — it's scary!). I thought that before release you guys would be adding .htaccess rules like the ones I have in https://github.com/nikosdion/kyrion-htaccess or at least security guidance. Not exactly ideal but you were dead set on using PSR-12 which is absolutely NOT meant for mass–distributed software that have all of their code under the web root but, hey, I neither get a vote nor do I care all that much since me and my clients are protected by the .htaccess rules added by my .htaccess Maker.
Regarding your PR, I took a look at the patch file (GitHub crashes and burns my browser since there are 1,824 modified files — browsers generally frown upon 1MiB or more of HTML being parsed at once). It looks alright to me. Since these files started their life with the JEXEC or die statements nothing should be broken.
| Labels |
Added:
Release Blocker
?
|
||
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-08-28 07:39:41 |
| Closed_By | ⇒ | roland-d |
Thanks everybody
I have tested this item✅ successfully on 2dccb52
I have created a list of "defined...or die" findings in PHP files with use of the "findstr" command of the Windows command shell (on Linux you could use "grep") on a full installation package created on the branch of this PR and have compared that with the same kind of listing created for a 4.1.5 full package, using a good comparison tool (Beyond Compare), and I've carefully checked that all differences are as expected, i.e. this PR here adds all these statements back where they have been removed by the psr-12 changes, and adds a few more which were missing, and some moved from here to there due to moved and renamed files, mainly from the change from 2FA to MFA.
In addition I have checked that a full installation made with this PR works, also debug works, where this PR has added a bunch of missing "defined...or die".
Finally I have checked that unit tests and PHPCS are passing.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38615.