[#8439] - Failure to encode Joomla base path
- Closed
- 7 May 2016
- Medium
- Build: master
- # 8439
This was tested on a CentOS 7 server (apache 2.4.6, php 5.4.16) using a recent (post 3.5.0-beta) Joomla version from the master branch (specifically 11a1462). Really, though, the version shouldn't matter much.
To test:
With the web server's document root being '/var/www/html', create the necessary directories and install Joomla at '/var/www/html/foo/b a%20 \r2'. In other words:
# mkdir -p '/var/www/html/foo/b a%20 \r2'
# cd '/var/www/html/foo/b a%20 \r2'
# wget https://github.com/joomla/joomla-cms/archive/11a14629fce671670399ec7775caed4e7b5b92c1.zip
# unzip *.zip && rm *.zip -f
#
Now attempt to access Joomla at http://example.com/foo/b%20a%2520%20%5Cr2/installation/index.php.
The page loads, but none of the related page resources are found or loaded.
Here's a look at some of the links to those resources in the HTML source for the page:
<link href="/foo/b a%20 /r2/installation/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link rel="stylesheet" href="/foo/b a%20 \r2/media/jui/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="/foo/b a%20 \r2/media/jui/css/bootstrap-responsive.min.css" type="text/css" />
<link rel="stylesheet" href="/foo/b a%20 \r2/media/jui/css/bootstrap-extended.css" type="text/css" />
<link rel="stylesheet" href="/foo/b a%20 \r2/installation/template/css/template.css" type="text/css" />
<link rel="stylesheet" href="/foo/b a%20 \r2/media/jui/css/chosen.css" type="text/css" />
<script src="/foo/b a%20 \r2/media/jui/js/jquery.min.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/jui/js/jquery-noconflict.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/jui/js/jquery-migrate.min.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/html5fallback.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/jui/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/jui/js/chosen.jquery.min.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/mootools-core.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/core.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/mootools-more.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/punycode.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/media/system/js/validate.js" type="text/javascript"></script>
<script src="/foo/b a%20 \r2/installation/template/js/installation.js" type="text/javascript"></script>
The problem is that Joomla's base path in those links has not been URL % encoded. They contain /foo/b a%20 \r2, whereas the should contain /foo/b%20a%2520%20%5Cr2.
zero-24
- | Labels |
Added:
?
|
||
| Category | ⇒ | Libraries |
| Status | New | ⇒ | Needs Review |
I don't think so. I mean we can't do a full URL encode because you encode the slashes. Sure you can write a custom encoder function that encodes everything except the forward slashes. But I think there has to be an element of common sense by users here. And this falls inside that. Closing
| Status | Needs Review | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-05-07 10:56:48 |
| Closed_By | ⇒ | wilsonge |
Hi @zjw! You created this issue sometime ago but have not provided any code for people to evaluate. As no one else has shown any interest in providing the code and you have not then I am closing this issue at this time. If code is provided (a pull request) it can always be re-examined.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8439.
Is this ever going to be a realistic situation that needs fixing?