Add path filter to joomla updates download process for the temp folder

[zero-24]

Summary of Changes

The JSST has been contacted about an missing path filter whithin the joomla download process. Given that an successfull attack requires a Super User access to change the tmp path setting and also to trigger the update itself the JSST decided to move this patch to the public tracker.

Testing Instructions

• apply the patch
• Try to install an update or to "reinstall the core files"
• Make sure the update works as expected
• try to install an update via this custom update server (https://ci.joomla.org/artifacts/joomla/joomla-cms/staging/32076/downloads/39782/pr_list.xml)

Actual result BEFORE applying this Pull Request

The upgrade works as expected

Expected result AFTER applying this Pull Request

The upgrade works as expected

Documentation Changes Required

none

[nibra]

You can then replace the whole switch statement with
$result = parent::clean($source, $type);

[zero-24]

Right even better 👍

[richard67]

@zero-24 Shall we test this, or shall we wait until the Todo's are done? If test: Could you add the missing link to an update package in the testing instructions (currently "(to be generated)")?

[zero-24]

This has to wait for the archive package to be merged and the path filter patched as noted above. The package i mean is the one generated by drone.

[richard67]

@zero-24 I've updated in the description the link to the update package for this PR so it points to the latest build.

[richard67]

Test on Linux was ok, but on Windows it was failing. See joomla-framework/filter#40 for the fix in the framework package.

[richard67]

Now we have to wait for #32206 to be merged.

[zero-24]

I have just merged the filter package and updated the branch here so this is ready to be tested again.

[richard67]

I've updated in the description the link to the update package for this PR so it points to the latest build.

[zero-24]

I've updated in the description the link to the update package for this PR so it points to the latest build.

Thanks was about to do that too as we have to wait for it to be generated👍

[richard67]

I had to do it again because I had to restart drone.

[richard67]

I have tested this item ✅ successfully on adab40b

Tested with 2 server environments, one Linux with PHP 7.3, and one Windows with PHP 7.4.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32076.}

[richard67]

@zero-24 I've removed the "Todo's" section from the description because that stuff has been done meanwhile.

[Quy]

Move after line 10?

[zero-24]

Moved ce05326

[chmst]

I have tested this item ✅ successfully on adab40b

Tested on win10, with php8, following the testing instructions

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32076.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32076.}

[richard67]

@zero-24 Could you check @Quy 's suggestion above and fix it? #32076 (comment) . It will not change RTC status.

[zero-24]

@zero-24 Could you check @Quy 's suggestion above and fix it? #32076 (comment) . It will not change RTC status.

Moved with: ce05326

[richard67]

Previous tests are still valid since last change after tests was code style only. I've restored the test results in the tracker.

[HLeithner]

Thanks