-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.x] Allow optional port numbers in remote database security check of installation #29567
[3.x] Allow optional port numbers in remote database security check of installation #29567
Conversation
I have tested this item ✅ successfully on 03676bd This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29567. |
I have tested this item ✅ successfully on 03676bd This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29567. |
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29567. |
Thanks guys for testing. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
Wrong. It is "[1-9]{1}[0-9]{0,4}", which means at least one digit between 1 and 9 followed by zero to four digits from zero to nine, i.e. it can have 1 to 5 digts without leading zero. I did not limit it to high ports only, that's why I allow also less than 4 digits. |
This comment was marked as abuse.
This comment was marked as abuse.
Merged thanks |
…f installation (joomla#29567) * Allow ports for the remote database security check * Fix my silly typo from the previous commit
… check of installation (joomla#29567)" This reverts commit db6d702.
… check of installation (joomla#29567)" This reverts commit db6d702.
…security check of installation (joomla#29567)"" This reverts commit 4816d9a.
Pull Request for Issue #29519 .
Summary of Changes
This Pull Request (PR) changes the special security check when using a remote database server to allow port numbers to be used in the host name.
The database drivers already seem to support that at least for hostnames and IPv4 addresses.
With IPv6 I'm not sure yet (the address should be enclosed in square brackets to distinguish the colon to separate the port from the colons in the IPv6 address).
Testing Instructions
Requirements
If you have MySQL or MariaDB, plese test both the "MySQLi" and the "MySQL (PDO)" type.
Test Execution
On a clean, current staging or 3.9.19 or latest 3.9 nightly build, apply the patch for this PR.
Make a new installation.
When coming to the database part, fill in correct data and use either "localhost", "127.0.0.1" or "::1" (the latter only if IPv6 works) as database host, together with the port number on which the database server works, which normally is 3306 for MySQL or MariaDB and 5432 for PostgreSQL, i.e. use as database host
or different ports if your servers are set up not to use the standard ports.
Start the installation.
Result: There is no extra security check using a temporary file, the installation works as usual when using a local database host.
Clear the session cookie or close the browser window so the next test starts with a new session.
Repeat the previous steps 1 to 4, i.e. make again a new installation using another empty database or creating another nerw one, but this time don't use a port number, and in case of IPv6 leave away the square brackets.
Result: There is again no extra security check using a temporary file, the installation works.
Clear the session cookie or close the browser window so the next test starts with a new session.
Repeat step 6, i.e. make again a new installation using another empty database or creating another nerw one, but this time use something else than "localhost" or "127.0.0.1"or "::1", e.g. use the real computer name of that server and make sure it can be resolved to an IP address e.g. by adding it to the local hosts file ("c:\windows\system32\drivers\etc\hosts" on Windows or "/etc/hosts" on Linux). It's ok if this resolves to 127.0.0.1, too, it just needs a different name than the ones listed before. Use a port number like in the first installation.
Result: This time there is extra security check using a temporary file, the installation works.
Clear the session cookie or close the browser window so the next test starts with a new session.
Repeat step 8, but this time don't use a port number.
Result: Again there is extra security check using a temporary file, the installation works.
Expected result
No security check when using "localhost:1234", "127.0.0.1:1234" or "[::1]:1234" as database host, with "1234" being the port number on which that server works.
No security check when using "localhost", "127.0.0.1" or "::1" as database host.
Security check when using something else than "localhost", "127.0.0.1" or "::1" with or without port number as database host.
Actual result
Security check when using "localhost:1234", "127.0.0.1:1234" or "[::1]:1234" as database host, with "1234" being the port number on which that server works, as if it was a remote host.
No security check when using "localhost", "127.0.0.1" or "::1" as database host.
Security check when using something else than "localhost", "127.0.0.1" or "::1" with or without port number as database host.
Documentation Changes Required
Don't think so, but am not 100% sure.