Add JLog::add("This shouldn't be here", JLog::INFO) to your template's index.php file and refresh the page. The log entry is added to the message queue and displayed on the front end.
This issue replaces the PR and conversation on PR #8087 as a better summary and description of the problem.
According to the docs (https://docs.joomla.org/Using_JLog). Calling JLog::add WITHOUT a category should just log to file and NOT be displayed to the user.
Adding the category of jerror means that this message will also be displayed to users. To only write to file you can easily drop that parameter and simply use
JLog::add(JText::_('JTEXT_ERROR_MESSAGE'), JLog::WARNING);
The expected result would be to see the page refresh as normal with no message displayed and just silently written to file.
The actual result is that the entry is added to the message queue and displayed to the user.
This could result in logging information (including potentially sensitive information) being made available to a visitor when not intended for them.
This is a replacement issue summarising the conversion on PR #8087.
JLog::add() uses a default empty category (which is how that condition I
pointed out gets reached). The message queue logger is only registered for
the jerror category and with that loophole that logs messages with no
category incorrectly closed then all the issues go away.
On Sunday, October 18, 2015, Eric notifications@github.com wrote:
@mbabker https://github.com/mbabker ... hey mate, I know my previous
fix on this was a bandaid solution ... ( I agree BTW)...I think a better solution would be to set a default category on the
JLog::add other than jerror -- say "jlog" for example.I know this is still less than an ideal but the only other approach I
could think of would be to change the exclude in addLoggerInternal from a
bool to an array with a list of categories that each logger should ignore.While option 2 would be better (with each logger defining an include and
exclude list) it would potentially break existing loggers.Any thoughts?
Eric.
—
Reply to this email directly or view it on GitHub
#8094 (comment).
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-10-19 06:36:05 |
Closed_By | ⇒ | zero-24 |
@mbabker ... hey mate, I know my previous fix on this was a bandaid solution ... ( I agree BTW)...
I think a better solution would be to set a default category on the JLog::add other than jerror -- say "jlog" for example.
I know this is still less than an ideal but the only other approach I could think of would be to change the exclude in addLoggerInternal from a bool to an array with a list of categories that each logger should ignore.
While option 2 would be better (with each logger defining an include and exclude list) it would potentially break existing loggers.
Any thoughts?
Eric.