[3] Ensure that url alias segments correspond to real aliases of articles/categories - with redirect option. #32887
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
March 26, 2021 17:26
…/categories Signed-off-by: Phil E. Taylor <phil@phil-taylor.com>
…rk out the real url Signed-off-by: Phil E. Taylor <phil@phil-taylor.com>
Signed-off-by: Phil E. Taylor <phil@phil-taylor.com>
|
What happens with exiting redirects? This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32887. |
This comment was marked as abuse.
This comment was marked as abuse.
|
I actually love this approach. Especially the redirect option - thanks! One thing to think about: It may be worth using a variable for the result of |
Signed-off-by: Phil E. Taylor <phil@phil-taylor.com>
This comment was marked as abuse.
This comment was marked as abuse.
|
I have tested this item ✅ successfully on d040981 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32887. |
This comment was marked as abuse.
This comment was marked as abuse.
|
Thanks @PhilETaylor but I don't see this in j3 and as alreadys said no new features for j3 |
This comment was marked as abuse.
This comment was marked as abuse.
|
Is it relevant for J4? |
This comment was marked as abuse.
This comment was marked as abuse.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #32490 and many others
Replacement for #32879 as people wanted it implemented in a b/c way
Implements a redirect or 404 option (and Off by default) to satisfy #32880 (comment)
Take it or leave it. This is the third attempt to fix this perceived security issue.
Summary of Changes
This PR attempts to close a long standing issue where you can manipulate Joomla's urls and the router will still work.
This can be easily seen on the official Joomla.org site at:
https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-LALALALALALALLALALALALALA
https://www.joomla.org/announcements/i/HACK/HACKED/YOUR/SITE/YOU/SUCK/5834-LALALALALALALLALALALALALA
Where BLAHBLAHBLAHBLAHBLAHBLAH is a made up category name and
LALALALALALALLALALALALALAis a made up article alias.That fake url still loads the "Joomla 3.9.25 Release" article which has id 5834. It should, IMHO, and in the opinion of others, be a 404, as
LALALALALALALLALALALALALAcould beJoomla-Sucksor anything else SEO that a hacker wants to use.Testing Instructions
Enabled SEF and rewrite. (Legacy, not modern)
Create yourself a category tree of lets say three categories (as a real test, you choose how many you want, it should still work), each a child of the last, and then an article (with alias my-article) in the bottom most category
Top Most -> Middle Most -> Bottom Most -> my-article
Visit the home page and you should see the link to My Article in the Latest Articles Module, click it and get a SEF url of
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Where 9 is the id of my category "Bottom Most" and 3 is the id of My Article (Yours might be different ids)
Actual result BEFORE applying this Pull Request
Before this PR you can manipulate the url and replace one or more of aliases with HHHH like below, these urls STILL WORK:
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
Expected result AFTER applying this Pull Request
After this P, when you manipulate the url and replace one or more of aliases with HHHH like below, these urls DONT WORK: and now lead correctly to a 404 page OR THEY REDIRECT depending on your choice in Articles Config
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
But accessing the full generated url with aliases correct STILL WORKS
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Documentation Changes Required
This is backward compatible - its off by default.
All the new code is doing is running 2n more queries to validate the aliases provided against either the alias of a category or article with a known id, or in the case of nested categories, that ANY category in the db has the provided alias (nor perfect, I know, but much better than it currently is, and this is only for the Middle Most and Top Most category if there are 3 or more nested categories).
// cc @brianteeman @Ruud68 @Bakual @Hackwar