[#44428] - [5.2] Harden FormattedTextLogger against object injection attacks
- Fixed in Code Base
- 14 Nov 2024
- Medium
- Build: 5.2-dev
- # 44428
- Diff
- SniperSister:public-52-log-fix
User tests: Successful: Unsuccessful:
Summary of Changes
The current implementation of the FormattedTextLogger class creates a potential code execution vulnerability if either Joomla core itself or a third party extension would have an object injection vulnerability via unserialization of user supplied input. This PR adds an exception message for that very specific case, preventing that such an attack payload would be written.
YES, I'm aware that this is a theoretical b/c break. However, weighting the pros and cons of the current implementation, I think that it's a useful change nonetheless.
Testing Instructions
Apply patch, create a log message by trying to log in into the administrator site with wrong credentials.
Actual result BEFORE applying this Pull Request
Log file is written
Expected result AFTER applying this Pull Request
Log file is written
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-11-08 14:11:27 |
| Closed_By | ⇒ | SniperSister | |
| Labels |
Added:
PR-5.2-dev
|
||
| Status | Closed | ⇒ | New |
| Closed_Date | 2024-11-08 14:11:27 | ⇒ | |
| Closed_By | SniperSister | ⇒ |
| Status | New | ⇒ | Pending |
I have tested this item ✅ successfully on 4982fc9
Tested successfully as described.
Log Entries before and after identical.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428.
The test instruction doesn't appear to run the new method. Please confirm.
As described, there is no option to execute the method in core. That’s why the purpose of the instructions is to confirm that legitimate use cases of that class are unaffected.
I have tested this item ✅ successfully on 2ed7d84
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428.
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-11-14 08:08:52 |
| Closed_By | ⇒ | Hackwar |
Thank you for your contribution!
@ramalama can you open https://issues.joomla.org/tracker/joomla-cms/44428 and
Now the test count as successfull.