Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47319] - [5.4] Fix error 500 when array is passed via URL to Route::_() (#47318 )

PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar narang24
narang24
7 Mar 2026

Pull Request resolves #47318

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR fixes an issue where passing an array via query parameters (e.g. ?id[]=1) causes a 500 error due to strict type checking in PHP 8.x.

The error occurs in PreprocessRules::preprocess() where strpos() expects a string but receives an array when query parameters are sent in array form.

The fix adds defensive validation in the router:

  • PreprocessRules now verifies that the processed parameter is a scalar before performing string operations.
  • If the parameter is not scalar (e.g. an array), preprocessing is skipped to prevent strpos() from receiving an invalid type.

This ensures the router safely handles malformed or manually crafted query parameters and prevents the TypeError from occurring.

Testing Instructions

  1. Open an article, category, tag, or contact page.
  2. Append an array parameter to the URL:
    ?id[]=1
    Example:
    index.php?option=com_content&view=article&id[]=1
  3. Reload the page.

Actual result BEFORE applying this Pull Request

Joomla throws a 500 error:
TypeError:
strpos(): Argument #1 ($haystack) must be of type string, array given

Expected result AFTER applying this Pull Request

Joomla safely handles the request without throwing an exception, and the page loads normally.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar narang24 narang24 - open - 7 Mar 2026
avatar narang24 narang24 - change - 7 Mar 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Mar 2026
Category Libraries
avatar narang24 narang24 - change - 7 Mar 2026
Labels Added: PR-5.4-dev
avatar richard67
richard67 - comment - 7 Mar 2026 
2. **Input normalization**
   In `Joomla\CMS\Input\Input::get()`, commonly used scalar parameters (`id`, `catid`, `Itemid`) passed as single-element arrays are normalized to scalar values.

@narang24 I can't see that change here: https://github.com/joomla/joomla-cms/pull/47319/changes

avatar brianteeman
brianteeman - comment - 7 Mar 2026

ai:dr

avatar narang24
narang24 - comment - 7 Mar 2026

Thanks for observation @richard67

An earlier version of this PR included input normalization in Joomla\CMS\Input\Input::get(). However, that change was removed because Joomla\CMS\Input\Input is deprecated and the PHPStan check failed.

The current fix only adds defensive handling in PreprocessRules::preprocess() to ensure strpos() does not receive an array when malformed parameters like ?id[]=1 are passed. I will update the PR description accordingly.

avatar narang24 narang24 - change - 7 Mar 2026
The description was changed
avatar narang24 narang24 - edited - 7 Mar 2026

Add a Comment

Login with GitHub to post a comment