Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.0] Provide us an easy way to use PHP code in modules or articles? #25783

Closed
vintzl opened this issue Aug 5, 2019 · 11 comments
Closed

[4.0] Provide us an easy way to use PHP code in modules or articles? #25783

vintzl opened this issue Aug 5, 2019 · 11 comments
Labels
J4 Issue No Code Attached Yet

Comments

@vintzl
Copy link

vintzl commented Aug 5, 2019

Why we cannot use PHP code in modules or articles?

Why not simply allowing PHP code in articles/modules, by providing an option in Joomla?

Or provide us the way to do this without using extensions, by the mean of documentation, because I find nowhere where to start…
@ghost ghost changed the title Provide us an easy way to use PHP code in modules or articles? [4.0] Provide us an easy way to use PHP code in modules or articles? Aug 5, 2019
@ghost ghost added the J4 Issue label Aug 5, 2019
@brianteeman
Copy link
Contributor

Why we cannot use PHP code in modules or articles?

Because it opens your web site to any number of security vulnerabilities

Or provide us the way to do this without using extensions, by the mean of documentation, because I find nowhere where to start…

There are several extensions available at https://extensions.joomla.org that will let you do this

@joomla-cms-bot
Copy link

Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/25783

@vintzl
Copy link
Author

vintzl commented Aug 5, 2019

Because it opens your web site to any number of security vulnerabilities

Sounds very stupid… as the same applies for

  1. Plugins/"highly customized" modules
  2. Templates, as we can put any php code in …

And you guess what? We can embed php code in them… So these open our web sites with any number of security vulnerabilities…

There are several extensions available at https://extensions.joomla.org that will let you do this

I did not ask for extensions, but at least for some documentation…

Seems I will waste my time to figure out how it works.

@Bakual
Copy link
Contributor

Bakual commented Aug 5, 2019

And you guess what? We can embed php code in them… So these open our web sites with any number of security vulnerabilities…

Only Super-Administrators can install extensions or edit template files. If you can't trust those users, then all is lost anyway.

For all other users, there is no way to embed PHP code for security reasons. If you allow them to run PHP code, then you can as well give them full access to your server.

So if you really need that feature, you need to find some extension which allows that and you seriously need to make sure only users which you trust blindly are allowed to use it.
It certainly will never be part of core.

@vintzl
Copy link
Author

vintzl commented Aug 5, 2019

Did you know that Joomla provide ACL? (sure you know…)

We could use ACL to enable selected user, ONLY, to embed PHP code… like by default Super-Administrators etc…

@Bakual
Copy link
Contributor

Bakual commented Aug 5, 2019

You don't understand.
As soon as you allow a non-Super-Admin to add PHP code to eg an article, that user can elevate himself als Super-Admin. Or he can do even worse stuff.
ACL doesn't help you there at all. There is no safe-guard left once you can run your own PHP code.

@vintzl
Copy link
Author

vintzl commented Aug 6, 2019

You waste my time… Read again and again my posts, until you are able to understand what I mean.

Everything you wrote is stupid as:

  • Joomla allows creation of simple user with Super User rights >again what you argue is irrelevant. Because, if we fallow your same logic, we MUST remove this feature as "it open our web sites with any number of security vulnerabilities…
  • ACL, as user creation/modification of users with assigned User Groups, leads to the same problems you fear, but you allow user that you "want to protect from themselves" to use theses features, meaning grant user any Super User rights…
  • With ACL, you could grant to specific user, the right to embed code, maybe the same user you grant Super User rights, and only for those users…
  • I wrote ACL Systems, and if done correctly, certainly with a lot of work, you could limit usage to some PHP functions calls (white list like print, echo, etc)…

Now as you are too much psychorigid for me, I will not waste my time anymore with you on this topic. I have done with it, and I am near to find my solution.

@infograf768
Copy link
Member

I am sure you will share such a solution by proposing a PR.
In the meanwhile, it would be much appreciated if you stopped using insults towards anyone in this repo. Thanks.

@HLeithner
Copy link
Member

@vintzl could you please claim down and be a bit more friendly. Everyone here tries to make Joomla better. Adding the possibility to execute PHP code will lead to security problems for in experienced users. As power user you are able to simply install an extension that can do this. If you really want it simple you can even do this with a template override and set the filter to raw on mod_custom. Then you have done it with core.

But giving this to an end user would only lead to security problems. And no filtering php code is not trivial.

@ghost
Copy link

ghost commented Aug 7, 2019

@vintzl please read https://community.joomla.org/blogs/community/joomla-we-have-a-problem.html

@vintzl
Copy link
Author

vintzl commented Aug 9, 2019

OK, I am sorry if anyone was offended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
J4 Issue No Code Attached Yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@infograf768 @Bakual @brianteeman @HLeithner @joomla-cms-bot @vintzl