I have tested this item ✅ successfully on 904a566

@Denitz when trying to test this PR, on my standard Joomla 5.4 nightly sample blog + multi-lingual test installation with standard joomla .htaccess used/activated, I get a Forbidden screen (while on the English language side of the 2 language site) that seems to be blocked by .htaccess as none of Joomla is rendered - see screenshot (applying PR does not change anything).

@exlemor Please try to enable Joomla debug and set error reporting to maximum.

@exlemor Please try to enable Joomla debug and set error reporting to maximum.

Hi Denitz, I didn't add it in my description but I also tried that (and I usually have my test instance setup with Maximum Error reporting already)... and NO difference whatsoever, instant screenshot that I showed you.

Try to remove /.htaccess, according to your URL it's not required.

Try to remove /.htaccess, according to your URL it's not required.

Hi @Denitz,
If you meant in the folder above the /_j540/ location, I have done that and it changes nothing.
If you meant in the folder /_j540/ itself, since I have SEF on, it's required otherwise I get:
Not Found
The requested URL was not found on this server.

but you have /index.php/ in the url, it means that URL Rewrite is disabled in global config.

before this PR I can confirm i get A 500 error with Attempt to assign property "suggestion" on null
with the pr I can confirm I get a regular search page with the expected No Results Found
No search results could be found for query: ' OR '1'='1.

I have tested this item ✅ successfully on 904a566

RTC

but you have /index.php/ in the url, it means that URL Rewrite is disabled in global config.

Hi Denitz, I DO have URL Rewrite on:

( I didn't change any settings in the System - SEF plugin ).

and same results, the /index.php/ only showed up when I was testing and at that moment, didn't have URL rewrite on in Global Config (but either way, I get the same result).

I have tested this item 🔴 unsuccessfully on 904a566

I have unsuccessfully tested this PR.

After my comments from yesterday since 2 other tests were successful, and I still have the same situation after a complete wipe and fresh reinstallation of the test Joomla installation files+database, everything of course - I figured I should post an unsuccessful test. (sorry).

Setup: Joomla 5.4.2 nightly - The currently installed Joomla! version is "‎5.4.2-rc2-dev"
Installation in a sub-folder: /_j540/

Database: 10.11.14-MariaDB, PHP 8.3.29

After Joomla! 5.4.2-rc2-dev installation,
added Blog Sample Data, then
added Language: French, then
added Multilingual Sample Data.
then installed Regular Labs Cache Cleaner 9.7.5,
then installed Joomla Patch Tester 4.4.0, then insert the Joomla GitHub token,

then Global Configuration - Site tab: Search Engine Friendly URLs - ON, Use URL Rewriting - ON (standard Joomla installation htaccess.txt renamed to .htaccess)
then Global Configuration - System tab: Debug System: ON (tried it with and without this set to ON)
then Global Configuration - Server tab: Error Reporting: Maximum, Website Time Zone: Paris, From Email: webmaster@domain.com
then went to Front End, and typed ' OR '1'='1 in Search box, then get:

Forbidden

You don't have permission to access this resource.

in Browser Tab: 403 - Forbidden, in the Browser URL: https://www.domain.com/_j540/en/search?q=%27+OR+%271%27%3D%271

Hope this helps.

@exlemor Do you get the 403 only with the PR applied, or also without?

And do you have an .htaccess in a parent folder of the Joomla root?

For example I use a hardened version of .htaccess which forbids certain characters in URL parameters, which includes also single quotes.

Maybe you have something similar?

I can’t post the details now as I am on my smartphone without access to that file.

@exlemor P.S.: You can send me the content of the ,htaccess file from the parent folder in Mattermost in a direct message, then I can check later.

What happens if you use double quotes instead of single quotes in the search query?

@exlemor Do you get the 403 only with the PR applied, or also without?

And do you have an .htaccess in a parent folder of the Joomla root?

For example I use a hardened version of .htaccess which forbids certain characters in URL parameters, which includes also single quotes.

Maybe you have something similar?

I can’t post the details now as I am on my smartphone without access to that file.

Hello @richard67, the 403 forbidden comes up with or WITHOUT the PR. Prior to my wipe and re-installation, I had removed the .htaccess file in the parent/root folder, and the system reapplied this .htaccess file with only 3 lines.

<FilesMatch \.php$>
        SetHandler proxy:fcgi://lights-php83
</FilesMatch>

deleting said .htaccess file in the root folder and trying again yields the same exact results FYI.

also using " as in: " OR "1"="1
yields a URL of https://www.domain.com/_j540/en/search?q=%22+OR+%221%22%3D%221 and a web browser tab of 403 Forbidden still.

(thanks for looking into this :) )

@exlemor Or possibly Apache mod_security in use?

@exlemor Or possibly Apache mod_security in use?

I created a phpinfo.php file with the directive:
<?php phpinfo(); ?>

and checked that output and do not see mod_security anywhere, but confirmed I am running Apache 2

I created a mods.php file in the root of the /_j540/ and / with the content:
<?php print_r(function_exists('apache_get_modules') ? apache_get_modules() : 'no apache_get_modules'); ?>

and received:
no apache_get_modules

(I since then deleted both phpinfo.php and mods.php files) in conclusion, it doesn't 'appear' that I am running mod_security and if I am, unable to detect it.

I have tested this item ✅ successfully on 904a566


Tested with JBT (5.4-dev clone; Defaults: Debug System: yes, Error Reporting: Maximum, without .htaccess, without Use URL Rewriting)

• installed site module 'smart search', before PR searched for

  ' OR '1'='1
  

  • and seen the error Attempt to assign property "required" on null
• Applied PR with gh pr checkout 46586
  • ✅ Correct: No search results could be found for query: ' OR '1'='1.
• Enabled Use URL Rewriting and mv htaccess.txt .htaccess
  • Switched before PR git switch -,
    • seen the error Attempt to assign property "required" on null
  • Applied PR again git switch -
    • ✅ Correct: No search results could be found for query: ' OR '1'='1
• Tried to reproduce @exlemor error
  • Installed Blog sample data, installed language fr-FR, installed Multilingual Sample Data
  • both search fields return correct: No search results in English (en-GB) could be found for query: ' OR '1'='1
  • Switched to french
    • ✅ Still both search fields return correct: La recherche suivante n'a donné aucun résultat en français (fr-FR) : ' OR '1'='1.

Regarding:

• the system reapplied this .htaccess file with only 3 lines

  • My .htaccess has still the same content as htaccess.txt before
• The only mainful difference that I see, JBT is not using a subfolder
• But the 403 error may be related to your installation and not to this PR?

• Tried to reproduce @exlemor error

  • Installed Blog sample data, installed language fr-FR, installed Multilingual Sample Data

  • both search fields return correct: No search results in English (en-GB) could be found for query: ' OR '1'='1

  • Switched to french

    • ✅ Still both search fields return correct: La recherche suivante n'a donné aucun résultat en français (fr-FR) : ' OR '1'='1.

Regarding:

• the system reapplied this .htaccess file with only 3 lines

  • My .htaccess has still the same content as htaccess.txt before

• The only mainful difference that I see, JBT is not using a subfolder

• But the 403 error may be related to your installation and not to this PR?

Perhaps but as this server runs dozens of Joomla installation without any issues... (aside from this ' OR '1'='1 or " OR "1"="1) I'd still love to find the reason for this divergent behavior. And if I run into issues, there is a certain amount of possibility that this will/could affect others, no?

@exlemor I can't replicate your problem in a subdirectory

@exlemor Simple Test: Append any useless URL parameter, e.g. ?bla or &bla, with or without a single or a double quote added, to a valid URL which is not related to smart search. Of course you have to encode the URL. There are online tools for that.

If on that one site you always get a 403 when the parameter contains a single or a double quote, regardless of which URL you append that parameter to, and without the single or double quote the same URL does not result in a 403, then there must be some kind of hardening in effect, and it is not related to smart search and so not to this PR, and that would not justify a negative test result for this PR.

@exlemor Simple Test: Append any useless URL parameter, e.g. ?bla or &bla, with or without a single or a double quote added, to a valid URL which is not related to smart search. Of course you have to encode the URL. There are online tools for that.
If on that one site you always get a 403 when the parameter contains a single or a double quote, regardless of which URL you append that parameter to, and without the single or double quote the same URL does not result in a 403, then there must be some kind of hardening in effect, and it is not related to smart search and so not to this PR, and that would not justify a negative test result for this PR.

Based on your information, I tried:

https://www.domain.com/_j540/en/typography?bla - yields the typography article and the URL rewrites to
https://www.domain.com/_j540/en/typography?bla

https://www.domain.com/_j540/en/typography&bla - yields 404 Page not found

Interestingly (and possibly related/unrelated to this PR/issue) if I set Debug mode to ON for the same
https://www.domain.com/_j540/en/typography&bla I get :

Call Stack

| Function | Location

1 | () | JROOT/libraries/src/Router/Router.php:166
2 | Joomla\CMS\Router\Router->parse() | JROOT/libraries/src/Application/SiteApplication.php:767
3 | Joomla\CMS\Application\SiteApplication->route() | JROOT/libraries/src/Application/SiteApplication.php:243
4 | Joomla\CMS\Application\SiteApplication->doExecute() | JROOT/libraries/src/Application/CMSApplication.php:304
5 | Joomla\CMS\Application\CMSApplication->execute() | JROOT/includes/app.php:58
6 | require_once() | JROOT/index.php:51

The same thing occurs with
https://www.domain.com/_j540/en/typography%26dummy%27value
https://www.domain.com/_j540/en/typography&dummy%27value
https://www.domain.com/_j540/en/typography&dummy'value
https://www.domain.com/_j540/en/blog&dummy
https://www.domain.com/_j540/en/blog&dummy'
https://www.domain.com/_j540/en/blog%26dummy%27

I hope it helps.

Thanks @Denitz for this PR, and thanks @alikon , @brianteeman and @muhme for testing.

@exlemor As your unsuccessful test result was only related to not being able to reproduce the issue but not to the changes from this PR, and as 3 other testers were able to reproduce the issue and test the fix, @muhme and me have decided to merge. Nevertheless, thanks for testing (or trying).

Thank you @richard67 for the explanation - greatly appreciated! - I am just surprised that if someone gets those results, there would not be the potential for others to also have them and therefore that it would not warrant some further investigation/wider testing... (I was thorough by checking 4-5 times including multiple re-installations) but all good, you guys have to make the decisions :). Thanks again for the clarity.