[3] Ensure that url alias segments correspond to real aliases of articles/categories - with redirect option. #32887
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #32490 and many others
Replacement for #32879 as people wanted it implemented in a b/c way
Implements a redirect or 404 option (and Off by default) to satisfy #32880 (comment)
Take it or leave it. This is the third attempt to fix this perceived security issue.
Summary of Changes
This PR attempts to close a long standing issue where you can manipulate Joomla's urls and the router will still work.
This can be easily seen on the official Joomla.org site at:
https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-LALALALALALALLALALALALALA
https://www.joomla.org/announcements/i/HACK/HACKED/YOUR/SITE/YOU/SUCK/5834-LALALALALALALLALALALALALA
Where BLAHBLAHBLAHBLAHBLAHBLAH is a made up category name and
LALALALALALALLALALALALALA
is a made up article alias.That fake url still loads the "Joomla 3.9.25 Release" article which has id 5834. It should, IMHO, and in the opinion of others, be a 404, as
LALALALALALALLALALALALALA
could beJoomla-Sucks
or anything else SEO that a hacker wants to use.Testing Instructions
Enabled SEF and rewrite. (Legacy, not modern)
Create yourself a category tree of lets say three categories (as a real test, you choose how many you want, it should still work), each a child of the last, and then an article (with alias my-article) in the bottom most category
Top Most -> Middle Most -> Bottom Most -> my-article
Visit the home page and you should see the link to My Article in the Latest Articles Module, click it and get a SEF url of
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Where 9 is the id of my category "Bottom Most" and 3 is the id of My Article (Yours might be different ids)
Actual result BEFORE applying this Pull Request
Before this PR you can manipulate the url and replace one or more of aliases with HHHH like below, these urls STILL WORK:
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
Expected result AFTER applying this Pull Request
After this P, when you manipulate the url and replace one or more of aliases with HHHH like below, these urls DONT WORK: and now lead correctly to a 404 page OR THEY REDIRECT depending on your choice in Articles Config
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
But accessing the full generated url with aliases correct STILL WORKS
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Documentation Changes Required
This is backward compatible - its off by default.
All the new code is doing is running 2n more queries to validate the aliases provided against either the alias of a category or article with a known id, or in the case of nested categories, that ANY category in the db has the provided alias (nor perfect, I know, but much better than it currently is, and this is only for the Middle Most and Top Most category if there are 3 or more nested categories).
// cc @brianteeman @Ruud68 @Bakual @Hackwar