Skip to content

[4.0] Error in Joomla update. Invalid Ajax data. Fix #21160 #21332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 6, 2018
Merged

[4.0] Error in Joomla update. Invalid Ajax data. Fix #21160 #21332

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
268 changes: 139 additions & 129 deletions administrator/components/com_joomlaupdate/restore_finalisation.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,184 +5,194 @@
*
* @copyright Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*
* Important Notes:
* - Unlike other files, this file requires multiple namespace declarations in order to overload core classes during the update process
* - Also unlike other files, the normal constant defined checks must be within the global namespace declaration and can't be outside of it
*/

// Require the restoration environment or fail cold. Prevents direct web access.
defined('_AKEEBA_RESTORATION') or die();

// Fake a miniature Joomla environment
if (!defined('_JEXEC'))
namespace
{
define('_JEXEC', 1);
}
// Require the restoration environment or fail cold. Prevents direct web access.
defined('_AKEEBA_RESTORATION') or die();
Copy link
Member

@laoneo laoneo Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this not being removed from core, @nikosdion?

Copy link
Contributor

@nikosdion nikosdion Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what you are asking.

Removing the constant completely would be a massive security issue. This script must only be allowed to run under very specific circumstances. Removing this check would allow anyone to run it anytime, causing damage to the site.

Renaming the constant is possible, with the caveat that it's not a rename, it's an addition to Akeeba Restore (restore.php). As you can see, this constant is defined in the Akeeba Restore preamble and it's used by my backup software's integrated restoration to make sure post-restoration finalization won't be executable over the web for the same security reasons. We could add another line
define('_JOOMLA_UPDATE', 1);
and change the line in restore_finalisation.php to
defined('_JOOMLA_UPDATE', 1) or die();
Renaming it won't happen because it'd break my software.

I think that's the best solution. After all, restore.php is a third party library included with Joomla, not part of Joomla! itself. This is what the erstwhile Production Leadership Team had declared and that's the context of our conversation.

I could go one step further and make a special distribution of Akeeba Restore just for the Joomla! project. Please note that this would be a custom distribution, not code with shared OSM copyright, i.e. it will still not be part of Joomla! itself. The custom distribution could do away with all the features the Joomla! project does not need such as support for JPA and JPS archives and all post-processing engines except Hybrid (which magically figures out when to use direct file writes and FTP).

This latter option is extra work for me since it requires refactoring my code. I don't have time to do this right now but if you'd give me a rough estimate of a 4.0 beta freeze I could try. Since the custom distribution would be backwards compatible in the com_joomlaupdate context, even if I don't make it by the beta freeze we can still replace the regular restore.php with the custom one anytime in the 4.0 release cycle.

In fact, we could first add the extra define and then move to the custom distribution. Makes sense for you?

Copy link
Member

@laoneo laoneo Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whatever works best. I would add the _JOOMLA_UPDATE joomla code and deprecate the _AKEEBA_RESTORATION check. I guess we can't remove it in the closer future as it will break the old Akeeba backup installations?

Copy link
Contributor

@nikosdion nikosdion Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you really don't want that constant in the file the only course of action is the second option, making a special distribution of restore.php for Joomla!. As I explained this will take a while.

In the meantime you can continue using the old constant. I would also recommend adding more comment text at the top of the file to explain when this file is used and what it does.

Copy link
Contributor

@brianteeman brianteeman Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own education and only if you have time can you explain why removing the akeeba restoration constant will allow unwelcome access - we still have the JEXEC or die?

Copy link
Contributor

@wilsonge wilsonge Aug 1, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is run directly from restore.php as a cleanup step. As a result we're not in the context of a Joomla entry file but the restore.php context - hence we haven't actually defined JEXEC for this single file (you can see we define it on the line below)

Copy link
Contributor

@brianteeman brianteeman Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

Copy link
Contributor

@nikosdion nikosdion Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since other people will be reading this, there is a reason why we run this outside the Joomla! context.

When we are going between Joomla! release families (e.g. 3.8 to 3.9) we can reasonably expect that some files / folders are removed or moved around. However, extracting a ZIP file will only create files, not delete the ones which are removed.

This is not just a nuissance (dead code left behind) but a real functionality issue. Due to the way the class autoloader works, old code files might be prioritized over the new ones. This will create a disparity in what the rest of Joomla! expects to be loaded and what is actually loaded. This would lead to dead sites.

Moreover, sometimes we need to apply some database changes (either schema or data conversions) to ensure that the upgraded site will work correctly.

Finally, on sites which use a code cache (such as OPcache) we need to reset the code cache after Joomla! finishes updating. Otherwise PHP may end up loading a mix of old files from the cache and new files from disk, leading to broken sites. Unfortunately many servers either have a code cache enabled without asking the user or brand it as "site optimization" without sufficient explanation of the technical pitfalls every time you upgrade code on your site. This can be resolved programmatically in most cases.

These actions need to run after Joomla is upgraded but before you access it. Therefore we cannot run in the Joomla! CMS application context, nor can we (usually) do so safely in the context of a custom web application based on the Joomla! framework because of the deleted / moved files issue. The only way to handle it is by doing this outside of Joomla!, selectively loading the bits and pieces which are guaranteed to be working. Hence a separate script. The need to load bits of Joomla! is why we also define _JEXEC in that script; to allow those Joomla bits to load without dying.

The question is, how do you load this script over the web without accessing Joomla! and without posing a security threat (i.e. you can't have a directly web accessible file). The solution is given by Akeeba Restore itself. The last step it does after the extraction is over is calling the restore_finalisation.php script. Since communication with Akeeba Restore is secured and limited to the update process it does not pose a security risk.

The way the finalisation script is protected against direct access is similar to what Joomla! does: by checking whether a constant is defined. This thread is about renaming that constant.

Copy link
Contributor

@brianteeman brianteeman Aug 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you


use Joomla\CMS\Language\Text;

if (!function_exists('jimport'))
{
/**
* We don't use it but the post-update script is using it anyway, so LET'S FAKE IT!
*
* @param string $path A dot syntax path.
* @param string $base Search this directory for the class.
*
* @return boolean True on success.
*
* @since 11.1
*/
function jimport($path, $base = null)
// Fake a miniature Joomla environment
if (!defined('_JEXEC'))
{
// Do nothing
define('_JEXEC', 1);
}
}

// Fake the JFile class, mapping it to Restore's post-processing class
if (!class_exists('JFile'))
{
/**
* JFile mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @since 3.5.1
*/
abstract class JFile
if (!function_exists('jimport'))
{
/**
* Proxies checking a folder exists to the native php version
* We don't use it but the post-update script is using it anyway, so LET'S FAKE IT!
*
* @param string $fileName The path to the file to be checked
* @param string $path A dot syntax path.
* @param string $base Search this directory for the class.
*
* @return boolean
* @return boolean True on success.
*
* @since 3.5.1
* @since 11.1
*/
public static function exists($fileName)
function jimport($path, $base = null)
{
return @file_exists($fileName);
// Do nothing
}
}

if (!function_exists('finalizeRestore'))
{
/**
* Proxies deleting a file to the restore.php version
* Run part of the Joomla! finalisation script, namely the part that cleans up unused files/folders
*
* @param string $fileName The path to the file to be deleted
* @param string $siteRoot The root to the Joomla! site
* @param string $restorePath The base path to restore.php
*
* @return boolean
* @return void
*
* @since 3.5.1
*/
public static function delete($fileName)
function finalizeRestore($siteRoot, $restorePath)
{
$postproc = AKFactory::getPostProc();
$postproc->unlink($fileName);
if (!defined('JPATH_ROOT'))
{
define('JPATH_ROOT', $siteRoot);
}

$filePath = JPATH_ROOT . '/administrator/components/com_admin/script.php';

if (file_exists($filePath))
{
require_once $filePath;
}

// Make sure Joomla!'s code can figure out which files exist and need be removed
clearstatcache();

// Remove obsolete files - prevents errors occuring in some system plugins
if (class_exists('JoomlaInstallerScript'))
{
(new JoomlaInstallerScript)->deleteUnexistingFiles();
}

// Clear OPcache
if (function_exists('opcache_reset'))
{
opcache_reset();
}
}
}
}

// Fake the Folder class, mapping it to Restore's post-processing class
if (!class_exists('Folder'))
namespace Joomla\CMS\Filesystem
{
/**
* Folder mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @since 3.5.1
*/
abstract class Folder
// Fake the JFile class, mapping it to Restore's post-processing class
if (!class_exists('File'))
{
/**
* Proxies checking a folder exists to the native php version
*
* @param string $folderName The path to the folder to be checked
*
* @return boolean
* JFile mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @since 3.5.1
* @since 3.5.1
*/
public static function exists($folderName)
abstract class File
{
return @is_dir($folderName);
}
/**
* Proxies checking a folder exists to the native php version
*
* @param string $fileName The path to the file to be checked
*
* @return boolean
*
* @since 3.5.1
*/
public static function exists($fileName)
{
return @file_exists($fileName);
}

/**
* Proxies deleting a folder to the restore.php version
*
* @param string $folderName The path to the folder to be deleted
*
* @return void
*
* @since 3.5.1
*/
public static function delete($folderName)
{
recursive_remove_directory($folderName);
/**
* Proxies deleting a file to the restore.php version
*
* @param string $fileName The path to the file to be deleted
*
* @return boolean
*
* @since 3.5.1
*/
public static function delete($fileName)
{
$postproc = AKFactory::getPostProc();
$postproc->unlink($fileName);
}
}
}
}

// Fake the Text class - we aren't going to show errors to people anyhow
if (!class_exists('Text'))
{
/**
* Text mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @since 3.5.1
*/
abstract class Text
// Fake the Folder class, mapping it to Restore's post-processing class
if (!class_exists('Folder'))
{
/**
* No need for translations in a non-interactive script, so always return an empty string here
* Folder mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @param string $text A language constant
*
* @return string
*
* @since 3.5.1
* @since 3.5.1
*/
public static function sprintf($text)
abstract class Folder
{
return '';
/**
* Proxies checking a folder exists to the native php version
*
* @param string $folderName The path to the folder to be checked
*
* @return boolean
*
* @since 3.5.1
*/
public static function exists($folderName)
{
return @is_dir($folderName);
}

/**
* Proxies deleting a folder to the restore.php version
*
* @param string $folderName The path to the folder to be deleted
*
* @return void
*
* @since 3.5.1
*/
public static function delete($folderName)
{
recursive_remove_directory($folderName);
}
}
}
}

if (!function_exists('finalizeRestore'))
namespace Joomla\CMS\Language
{
/**
* Run part of the Joomla! finalisation script, namely the part that cleans up unused files/folders
*
* @param string $siteRoot The root to the Joomla! site
* @param string $restorePath The base path to restore.php
*
* @return void
*
* @since 3.5.1
*/
function finalizeRestore($siteRoot, $restorePath)
// Fake the Text class - we aren't going to show errors to people anyhow
if (!class_exists('Text'))
{
if (!defined('JPATH_ROOT'))
{
define('JPATH_ROOT', $siteRoot);
}

$filePath = JPATH_ROOT . '/administrator/components/com_admin/script.php';

if (file_exists($filePath))
{
require_once $filePath;
}

// Make sure Joomla!'s code can figure out which files exist and need be removed
clearstatcache();

// Remove obsolete files - prevents errors occuring in some system plugins
if (class_exists('JoomlaInstallerScript'))
{
$script = new JoomlaInstallerScript;
$script->deleteUnexistingFiles();
}

// Clear OPcache
if (function_exists('opcache_reset'))
/**
* Text mock class proxing behaviour in the post-upgrade script to that of either native PHP or restore.php
*
* @since 3.5.1
*/
abstract class Text
{
opcache_reset();
/**
* No need for translations in a non-interactive script, so always return an empty string here
*
* @param string $text A language constant
*
* @return string
*
* @since 3.5.1
*/
public static function sprintf($text)
{
return '';
}
}
}
}