Folder or file could start with dot

[n3t]

Files and folders starting with dot didn't pass the regexpr test. So for example \var\www.tmp path didn't pass the test, which causes error during Joomla update.

Summary of Changes

Modified Reg Expressions to include files and / or folders starting with dot. The check was brought by this PR #32076 which adds InputFilter to temp path settings, however ignoring folders with dot at the beginning.

Testing Instructions

Go to Joomla settings and change your Temp path to some folder with dot at the beginning, for example \path_to_joomla.tmp (and create that folder of course). Go to Joomla update, and try to install the update.

Actual result BEFORE applying this Pull Request

Error is displayed, update is not installed.

Expected result AFTER applying this Pull Request

No errror, update is installed.

Documentation Changes Required

None

[brianteeman]

Files and folders starting with dot didn't pass the regexpr test.

thats good as they are not supposed to

[n3t]

@brianteeman There is no reason that those files and folders should be ommited. Especially folders. For example ".tmp" makes that folder hidden on Linux, not visible for example through FTP access.

[n3t]

@PhilETaylor I know you can switch on to show it, but if you just want to keep your view clean, you can easily hide it with dot.

[n3t]

libraries/src/Filter/InputFilter.php only calll parent::clean function. To modify it would mean to copy all the code from libraries/vendor/joomla/filter/src/InputFilter.php...

How to get comment from @joomla/security team? Here, or need to be contacted other way?

[n3t]

Ok, thanks. The PR should be propably made to https://github.com/joomla-framework/filter package, or as you proposed, to 'libraries/src/Filter/InputFilter.php', or maybe directly to Model of Joomla Update component. I contacted security team to review this and give advice.

Generally this is related to issue you mentioned here #32567 but on other place of Joomla.

[richard67]

@n3t Your pull request is wrong for following reasons:

1. Your regular expressions are wrong. They will, in opposite to those in current Joomla 3 code, allow paths like e.g. /some/folder/../../../evil.php on Linux, which means breaking out of the Joomla root. This open a security hole and so cannot be accepted. You can easily very that with one of the many available sites for online execution of preg_match. Just Google for it.
2. Any change has to be made in the https://github.com/joomla-framework/filter repository .

I suggest you open an issue with a feature request in the https://github.com/joomla-framework/filter repository. The feature request should clearly describe your requirement (to be able to use folder and file names starting with a dot).

And please don't contact anymore the SST for discussing this PR via their email for reporting security issues. The form which you have used is ONLY for reporting security issues. @PhilETaylor had already notified the right person in his comment here #33151 (comment) .

[n3t]

@richard67 Thanks for your review, sorry for using contact form, I did it just because asked to. I will raise an issue on framework. Anyway, checking double dots in tmp folder set in configuration.php doesn't bring any real security in Joomla update process, as I can easily go to configuration, and set directly /other/folder/evil.php, which will pass the test as correct path...

[richard67]

@n3t We don't protect a super user from himself (or herself). If you enter such an absolute path in backend you should know what you are doing. There are other ways to manipulate paths than changing in backend.