-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix escaping of $ and reverts old language file format #42463
Conversation
this reverts a security fix |
It provides another solution via proper escaping of saved strings in the Language Override component. |
And a complete transition to the raw parser is proposed for Joomla 6.0, with a description of how to do this correctly by carefully converting language strings to the new format. |
The current filter does not properly filter overrides while saving the string. Prefixing the dollar in the string with a slash will lead to another slash being added while saving the string, leading to the escaping of the slashes but not of the dollar char. |
Yes, I forgot that |
Thank you! I played around with various payloads but was unable to inject a working placeholder - so from my side this solution is ok |
I've just fixed the issue with automatically regenerating language override files on upgrade (to make sure payloads are removed if they exist). So the patch is ready for all kinds of testing. |
Use __DEPLOY_VERSION__ instead of a hardcoded value Co-authored-by: Quy <quy@nomonkeybiz.com>
@bembelimen What do you think of this patch? JSST has confirmed that this patch fixes the vulnerability that was attempted to be fixed in versions 4.4.1 and 5.0.1. At the same time, this patch fully restores the original language file parser, i.e. all compatibility issues are resolved. Also note that the 5.0.1 patch negatively impacts performance, and some people are now wasting their time creating compatibility workarounds that affect performance even more, so the sooner this patch is merged, the better. PS. I would also be interested to hear your opinion on the proposal to actually switch to the raw ini parser in the next version of Joomla: #42462. |
We still need to fix new language overrides being created. Currently this retrospectively fixes all existing language strings only. Other than that +1 from me |
New overrides are fixed by |
Hi @dryabov , thank you for your PR. One thing is to consider: what about 3rd party translations of either core or extensions? I think you have to consider them, too. |
Yes, I discussed it with David Jardin. Installing 3rdparty extensions requires Super Administrator role, so it's not a problem. However Language Overrides requires Administrator role, that's why it was considered a vulnerability. |
If we get two tests, including the migration step (e.g. screenshots before/after), I'm happy to merge. |
Maybe it would be easier to get tests if there were some testing instructions. However, the author has removed all sections related to that which were provided by the pull request template. |
For thorough testing, I'd recommend the following steps:
|
@dryabov Could you add that also to the description (initial post) of this PR? Thanks in advance. |
Done. |
Hello @dryabov , Thank you very much für your idea, code and discussion, really appreciate it. |
Hmm, the RAW mode is only better if it is not accompanied by post-processing, but currently Joomla runs |
Would you look into the str_replace, how we could overcome that problem in an easy way? |
Okay, if this is the final decision, then you have two options:
|
As far as I know from the PHP sources, using So there is no alternative, and you have a choice between current 5.0.1 code $strings = str_replace('\"', '"', $strings); which breaks backwards compatibility by not stripping escaped \ and $, and $strings = str_replace(
array('\"', '\$', '\\\\'),
array('"', '$', '\\'),
$strings); which at least partially maintains backwards compatibility, but is obviously slower due to the additional replacements. |
The recent change in the language file format (from the "normal" to "raw" parser) in Joomla 4.4.1/5.0.1 resulted in broken backwards compatibility:
There are many related discussions and attempts to "fix" new behaviour: #42416 #42425 #42432 #42440 #42441 #42455 #42456
This patch fixes the escaping of the
$
character in the Language Override and reverts the old language file format.For thorough testing, I'd recommend the following steps:
${test}
substring (invisible in the Languages Overrides after saving) -> install patch -> the substring is visible in the Languages Overrides.${test}
substring (visible in the Languages Overrides after saving) -> install patch -> the substring is visible in the Languages Overrides.PS. But using a raw ini parser (without post-processing language strings) is a good idea, so I have started a feature request discussion (please join): #42462