?
Referenced as Pull Request for: # 8112
avatar digitalgarage
digitalgarage
14 Oct 2015

Steps to reproduce the issue

Add JLog::add("This shouldn't be here", JLog::INFO) to your template's index.php file and refresh the page. The log entry is added to the message queue and displayed on the front end.

This issue replaces the PR and conversation on PR #8087 as a better summary and description of the problem.

Expected result

According to the docs (https://docs.joomla.org/Using_JLog). Calling JLog::add WITHOUT a category should just log to file and NOT be displayed to the user.

Adding the category of jerror means that this message will also be displayed to users. To only write to file you can easily drop that parameter and simply use

   JLog::add(JText::_('JTEXT_ERROR_MESSAGE'), JLog::WARNING);

The expected result would be to see the page refresh as normal with no message displayed and just silently written to file.

Actual result

The actual result is that the entry is added to the message queue and displayed to the user.

This could result in logging information (including potentially sensitive information) being made available to a visitor when not intended for them.

Additional comments

This is a replacement issue summarising the conversion on PR #8087.

avatar digitalgarage digitalgarage - open - 14 Oct 2015
avatar digitalgarage
digitalgarage - comment - 19 Oct 2015

@mbabker ... hey mate, I know my previous fix on this was a bandaid solution ... ( I agree BTW)...

I think a better solution would be to set a default category on the JLog::add other than jerror -- say "jlog" for example.

I know this is still less than an ideal but the only other approach I could think of would be to change the exclude in addLoggerInternal from a bool to an array with a list of categories that each logger should ignore.

While option 2 would be better (with each logger defining an include and exclude list) it would potentially break existing loggers.

Any thoughts?

Eric.

avatar mbabker
mbabker - comment - 19 Oct 2015

JLog::add() uses a default empty category (which is how that condition I
pointed out gets reached). The message queue logger is only registered for
the jerror category and with that loophole that logs messages with no
category incorrectly closed then all the issues go away.

On Sunday, October 18, 2015, Eric notifications@github.com wrote:

@mbabker https://github.com/mbabker ... hey mate, I know my previous
fix on this was a bandaid solution ... ( I agree BTW)...

I think a better solution would be to set a default category on the
JLog::add other than jerror -- say "jlog" for example.

I know this is still less than an ideal but the only other approach I
could think of would be to change the exclude in addLoggerInternal from a
bool to an array with a list of categories that each logger should ignore.

While option 2 would be better (with each logger defining an include and
exclude list) it would potentially break existing loggers.

Any thoughts?

Eric.


Reply to this email directly or view it on GitHub
#8094 (comment).

avatar zero-24
zero-24 - comment - 19 Oct 2015

Closing as we have a pull here: #8112

avatar zero-24 zero-24 - change - 19 Oct 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-10-19 06:36:05
Closed_By zero-24
avatar zero-24 zero-24 - close - 19 Oct 2015

Add a Comment

Login with GitHub to post a comment