[#47852] - [5.4] Regression fix for security fix in 5.4.6 and 6.1.1
- Ready to Commit
- Medium
- Build: 5.4-dev
- # 47852
- Diff
- HLeithner:5.4/regression/user-reset-remind
User tests: Successful: Unsuccessful:
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
In the last release the link generation for password reset and username reminder has been hardened to not downgrade https to http links with not explicit set "always https" setting.
This might lead to a regression, at least for my setup this generate broken links without https://domain part only providing the path of the url.
Testing Instructions
- Add a password reset form to the menu
- have different server configurations
- with https force
- with https admin
- with https ignore
- with reverse proxy with https information provided in the header (HTTPS=On and HTTP_X_FORWARDED_PROTO=https should work)
- with reverse proxy without https information provided in the header
Actual result BEFORE applying this Pull Request
- The generated email has no host part
Expected result AFTER applying this Pull Request
- The generated email has the full url.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_users |
| Labels |
Added:
PR-5.4-dev
|
||
Forget my remark. PR is ok and does what it claims to do.
I have tested this item ✅ successfully on c5f0c75
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
I have tested this item ✅ successfully on c5f0c75
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
The testing instructions could be simpler to make it easier for testers:
- Go to System -> Global Configuration, look at Server tab, set Force HTTPS config option to None
Test Forgot password email
- From bottom of Login module, click on Forgot your password? link.
- Enter the email of the account and press Submit
- Before patch: You will receive email like below (note that the URL is not a full URL)
Hello,
A request has been made to reset your Joomla 5.4 account password. To reset your password, you will need to submit this verification code to verify that the request was legitimate.
The verification code is 612268462a7a4b89cc2281432701e33d
Select the URL below and proceed with resetting your password.
/joomla54/index.php/password-reset?layout=confirm&token=c5e7cc3a733e0e65fdd735629437218e
Thank you.
- Apply patch and repeat the step above, you will receive an email contains full URL like http://localhost/joomla54/index.php/password-reset?layout=confirm&token=612268462a7a4b89cc2281432701e33d
Test Forgot Username email
- From bottom of Login module, click on Forgot your username? link.
- Enter the email of the account and press Submit
- Before patch: You will receive email which does not contains full URL. After patch, the email will contains full URL.
I have tested this item ✅ successfully on c5f0c75
Tested successfully on a local Laragon environment following the provided instructions #47852 (comment)
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
I have tested this item ✅ successfully on c5f0c75
Tested successfully on a local Laragon environment following the provided instructions #47852 (comment)
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47852.
As far as I can see, links in mailtemplates are relative - they are converted in the MailHelper::convertRelativeToAbsoluteUrls method, and if that does not work I assume the issue is located there and independent from the TLS mode fix.