joomla-cms icon indicating copy to clipboard operation
joomla-cms copied to clipboard
verified publisher icon joomla

template min.css and min.js etc

Open brianteeman opened this issue 3 years ago • 26 comments

It is currently possible to upload a file.min.css, file.min.js, file.asset.json

However it is not possible to rename or create a new file as we had a check to prevent having a . in the name

There really is no need for this restriction. It dates back 10 years to a security fix but it wasn't needed as the rest of the security fix is still valid.

NOTE: This does not add .min.css or .min.js or asset.json to the list of filetypes. They are still just css, js and json but now you can put a dot in the filename

image

image

brianteeman avatar Aug 14 '22 10:08 brianteeman

I have tested this item :white_check_mark: successfully on 1e62228bd7816a8a38904d7f664b9b8fedb4e4fc

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

N6REJ avatar Aug 14 '22 11:08 N6REJ

I have tested this item :white_check_mark: successfully on 1e62228bd7816a8a38904d7f664b9b8fedb4e4fc

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

Kostelano avatar Aug 14 '22 18:08 Kostelano

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

richard67 avatar Aug 14 '22 20:08 richard67

@brianteeman Does this PR solve the 2 issues #38455 and #30908 so they can be closed?

richard67 avatar Aug 14 '22 20:08 richard67

Just from code review: we have to be careful to not allow: "...hello...bla.min"

bembelimen avatar Aug 16 '22 08:08 bembelimen

@bembelimen I did wonder about that but I assumed (maybe incorrectly) that as we didnt allow the slash it would not be a problem?

brianteeman avatar Aug 16 '22 08:08 brianteeman

please remove the RTC on this.

@bembelimen was correct and we need to prevent a .. in the filename. I was only thinking of security but actually it blows away the php if its allowed. - will update this PR later

brianteeman avatar Aug 17 '22 16:08 brianteeman

Back to pending due to reason stated in previous comment.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

richard67 avatar Aug 17 '22 16:08 richard67

Please retest and confirm that you can now create, rename files with a dot in them AND that you cannot when there are two or more dots

brianteeman avatar Aug 18 '22 22:08 brianteeman

Whats with a "invisible space" IIRC thats not catched by strpos. Or some kind of none breaking change as well as some unicode char thats confusing the filename/filesystem? didnt we have a filter class where we could throw this file name against too?

zero-24 avatar Aug 18 '22 22:08 zero-24

@zero-24 The file is already going through a filter before this iirc. If not then its beyond the scope of this PR as it would be possible before this PR as well. please test those yourself.

brianteeman avatar Aug 19 '22 05:08 brianteeman

I have tested this item :white_check_mark: successfully on fa2068eaa65eb69fba1f7cc2606934429793d0a4

Tested again. With one dot - the file was created, with two or more - an error.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

Kostelano avatar Aug 19 '22 09:08 Kostelano

I have tested this item :white_check_mark: successfully on fa2068eaa65eb69fba1f7cc2606934429793d0a4

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

jwaisner avatar Aug 19 '22 22:08 jwaisner

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

jwaisner avatar Aug 19 '22 22:08 jwaisner

"." should not be allowed at the beginning of the name (as then the file is hidden) and also not at the end of the name (to avoid again the ".." with the extension.

bembelimen avatar Aug 28 '22 14:08 bembelimen

should not be allowed at the beginning of the name Its not - either before or after this pr. In both cases the leading dot is stripped

also not at the end of the name yeah thats a bug in the regex will need to fix thaat after the holiday

brianteeman avatar Aug 28 '22 14:08 brianteeman

please remove rtc for now

brianteeman avatar Aug 28 '22 14:08 brianteeman

Back to pending.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

richard67 avatar Aug 28 '22 14:08 richard67

Sorry I must have got distracted. I had the correct regex already written but for some reason I didnt include it.

You can test the regex here https://rextester.com/RULEP70144

brianteeman avatar Aug 29 '22 20:08 brianteeman

I have tested this item :white_check_mark: successfully on e291abbb929f91beaaa51844d790b23259134efa

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

Kostelano avatar Aug 30 '22 19:08 Kostelano

I have tested this item :white_check_mark: successfully on e291abbb929f91beaaa51844d790b23259134efa

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

viocassel avatar Sep 02 '22 09:09 viocassel

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

N6REJ avatar Sep 02 '22 12:09 N6REJ

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

N6REJ avatar Sep 02 '22 12:09 N6REJ

I would really like to merge it, but regex with this size are tricky and need more tests. I'm wondering where the underscore in the first regex went? But 4.3 has the time to test intensively, so I'm moving the PR.

fancyFranci avatar Sep 15 '22 21:09 fancyFranci

There will be zero extra tests. Look at who has already tested it.

brianteeman avatar Sep 15 '22 21:09 brianteeman

As @fancyFranci noticed, it does not allow underscore in the regexp anymore. A file name like joomla_78.min.css will fail. Why are the regular expressions different in create/rename? Shouldn't they be identical?

obuisard avatar Sep 17 '22 18:09 obuisard

Sorry, don't want to be the party pooper again. So I tested it:

Before:

Edit/Create file:

  • _bla.scss => works
  • bla.min.css => does not work
  • text-file.php => works
  • .hui.txt => converted to "hui.txt" andsaved (should probably give an error)

After:

Create file:

  • _bla.scss => does not work
  • bla.min.css => works
  • text-file.php => does not work
  • .hui.txt => converted to "hui.txt"

Edit file:

  • _bla.scss => works
  • bla.min.css => does not work
  • text-file.php => works
  • .hui.txt => converted to "hui.txt" and saved

I also think I was wrong regaring the "." at the beginning, there is no test needed as the getCmd filter already removed the ".". So I think (?!.*\\..*\\..*) is not needed at the beginning?

bembelimen avatar Sep 27 '22 01:09 bembelimen

Back to pending

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38458.

bembelimen avatar Sep 27 '22 01:09 bembelimen

Please make up your minds.

Closed

brianteeman avatar Sep 27 '22 04:09 brianteeman

My intention was not to block it :( just giving it a proper testing as I think it's a nice feature.

bembelimen avatar Sep 28 '22 16:09 bembelimen