New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3] Ensure that url alias segments correspond to real aliases of articles/categories #32879
Conversation
…/categories Signed-off-by: Phil E. Taylor <phil@phil-taylor.com>
Not really. Someone might have been using this "bug" intentionally. I can see how the article part is b/c but not the category part. As such I cant see how this could be introduced before at least 3.10 as a minimum |
This comment was marked as abuse.
This comment was marked as abuse.
The how is by manually using the fake link as an href The why is "who the heck knows" but as its been possible for 15 years .... |
This comment was marked as abuse.
This comment was marked as abuse.
As you keep correctly saying "institutional memory" is important. We've fixed one of these things before and it caused uproar |
This comment was marked as abuse.
This comment was marked as abuse.
I agree with you, that this is a bug, but I also agree with Brian that it isn't B/C. |
This comment was marked as abuse.
This comment was marked as abuse.
Co-authored-by: Quy <quy@fluxbb.org>
Co-authored-by: Quy <quy@fluxbb.org>
This pr would break 2 bigger sites of my customers. They use the actual behavior for shortcut urls in lectures and papers (university) and on trade fairs etc. (component dealer). The only b\c solution would be an additional setting. Besides search engines, there is also a real user world. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
Notice: This has been largely fixed in 4.0. It's not that this isn't an issue, but that I don't think this is solvable in a B/C way and thus has been fixed in 4.0 instead of changing this in 3.6 with the addition of modern routing. |
"Largely" means, that the IDs are validated and the number of segments when IDs are still enabled both for categories and articles. Missing or additional segments will throw errors. If you disable IDs, then the aliases are all validated as well. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
Please first talk to the 3.10 maintainer (@zero-24) if he is willing to accept such a change in 3.10. The production team decided some time ago that we wouldn't add changes to 3.10 which aren't necessary to migrate to 4.0. In the end it is in the discretion of the maintainer if he wants to add it or not. |
This comment was marked as abuse.
This comment was marked as abuse.
This would definitely be judged as a new feature and I would be really surprised if @HLeithner would accept this for a release in 3.9. |
This comment was marked as abuse.
This comment was marked as abuse.
I'm only telling you what I know is the current status. Would you be happier if I hadn't written this here? Like, after you invested another 5 hours into this issue, only to be shot down? As I said, it is in the discretion of the maintainers and those are @zero-24 and @HLeithner and I said to talk to them first before you waste time on this. Besides that, I disagree with the development on Joomla 4.0. Not only are we moving forward with Joomla 4.0, we also have 4.1 and 4.2 already in the pipeline. You can point your new features to the respective branches already and have a promise when these will be released. However, in the end, we can't keep adding features wherever we want, because we would never get finished with 4.0, have no incentive to switch to 4.0 and delay everything even further. I don't like it either, but that is the reality. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
@PhilETaylor I can't see which comments are deleted, the github audit log only tells me that (you?) deleted 5 comments. But I think you didn't deleted it your self and complains that someone else deleted them^^ Can you help me which comment got deleted? |
This comment was marked as abuse.
This comment was marked as abuse.
Sometimes the cache can be quite aggressive. |
ok thanks for the confirmation |
Issue #32490 and many others
Summary of Changes
This PR attempts to close a long standing issue where you can manipulate Joomla's urls and the router will still work.
This can be easily seen on the official Joomla.org site at:
https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-LALALALALALALLALALALALALA
https://www.joomla.org/announcements/i/HACK/HACKED/YOUR/SITE/YOU/SUCK/5834-LALALALALALALLALALALALALA
Where BLAHBLAHBLAHBLAHBLAHBLAH is a made up category name and
LALALALALALALLALALALALALA
is a made up article alias.That fake url still loads the "Joomla 3.9.25 Release" article which has id 5834. It should, IMHO, and in the opinion of others, be a 404, as
LALALALALALALLALALALALALA
could beJoomla-Sucks
or anything else SEO that a hacker wants to use.Testing Instructions
Enabled SEF and rewrite. (Legacy, not modern)
Create yourself a category tree of lets say three categories (as a real test, you choose how many you want, it should still work), each a child of the last, and then an article (with alias my-article) in the bottom most category
Top Most -> Middle Most -> Bottom Most -> my-article
Visit the home page and you should see the link to My Article in the Latest Articles Module, click it and get a SEF url of
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Where 9 is the id of my category "Bottom Most" and 3 is the id of My Article (Yours might be different ids)
Actual result BEFORE applying this Pull Request
Before this PR you can manipulate the url and replace one or more of aliases with HHHH like below, these urls STILL WORK:
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
Expected result AFTER applying this Pull Request
After this P, when you manipulate the url and replace one or more of aliases with HHHH like below, these urls DONT WORK: and now lead correctly to a 404 page.
https://example.com/9-top-most/middle-most/bottom-most/3-HAHA
https://example.com/9-top-most/middle-most/HAHA/3-HAHA
https://example.com/9-top-most/HAHA/HAHA/3-HAHA
https://example.com/9-HAHA/HAHA/HAHA/3-HAHA
But accessing the full generated url with aliases correct STILL WORKS
https://example.com/9-top-most/middle-most/bottom-most/3-my-article
Documentation Changes Required
This is backward compatibleapparently not, people disagree with me, Cool. Not my decision to make.All the new code is doing is running 2n more queries to validate the aliases provided against either the alias of a category or article with a known id, or in the case of nested categories, that ANY category in the db has the provided alias (nor perfect, I know, but much better than it currently is, and this is only for the Middle Most and Top Most category if there are 3 or more nested categories).
There is one more case I wanted to address but ran out of time and that is with the new MODERN routing its possible to generate a url like:
https://example.com/?view=article&id=3:my-article&catid=9
where
my-article
is the alias of the My Article (id:3) article. This can also be manipulated like:https://example.com/?view=article&id=3:HAHA&catid=9
and that url will still work correctly. This still needs addressing and has been forked to #32880 as not to be forgotten
// cc @brianteeman @Ruud68