joomla-framework / filter Goto Github PK

Steps to reproduce the issue

It seems that beginning with version 2.0.0-beta3, the filter package breaks saving Global Configuration in the 4.0-dev branch of the CMS, see joomla/joomla-cms#32207 (comment) .

I.e. update the filter package on J4 to version 2.0.0-beta3 or 2.0.0-beta4. Then go to Global Configuration and try to save.

Expected result

Works.

Actual result

PHP Recoverable fatal error:  Object of class stdClass could not be converted to string
in /home/richard/lamp/public_html/joomla-cms-4.0-dev/libraries/vendor/joomla/filter/src/InputFilter.php on line 239,
referer: https://www.joomla-40-dev.vmkubu02.vmnet2.local/administrator/index.php?option=com_config

System information (as much as possible)

Additional comments

Please see:
joomla/joomla-cms#4492

@mbabker Is it time for a 1.1.7 release of the filter package?

Paths with dots at the beginning of folder or file name doesn't pass current path filter regular expressions. For example /var/www/.secret doesn't pass, even it is valid path. This influence Joomla CMS update system, when used such path for global temp dir.

Steps to reproduce the issue

Set in Joomla global configuration Temp path with hidden folder (starting with dot), for example /var/www/.tmp.
Go to Joomla update component and try to download and install update.

Expected result

No error, update is installed.

Actual result

Error is displayed, update is not installed.

System information (as much as possible)

Joomla CMS with Joomla Filter 1.4.3

Additional comments

This is B/C break in Joomla CMS, as it influence Joomla update system. Path doesn't pass filter, so returns empty string, which causes updater to fail download update file, with incorrect error message.

Tried to solve it in joomla/joomla-cms#33151, which was incorrect, as I was noticed of double dots folders (and also PR to wrong project :))

Steps to reproduce the issue

This is an issue that was found out in joomla/joomla-cms#38993 and is still valid in the current codebase of the filter package. In 0556634 the language class from the CMS is used in the OutputFilter class and besides that, the use-statement is wrong. So right now this stringUrlSafe() does not work.

Steps to reproduce the issue

var_dump((new Joomla\Filter\InputFilter)->clean(1, 'raw'));

Expected result

int 1

Actual result

string '1'

System information (as much as possible)

Additional comments

Since e4d3d15.

Steps to reproduce the issue

1. Apply the path filter to the path

/var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

2. Apply the path filter to the path

/var/www/vhosts/website.net/subdomain.website.net/._hiddenTemp

Expected result

1. Should return the cleaned path

/var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

2. Should return the cleaned path

/var/www/vhosts/website.net/subdomain.website.net/._hiddenTemp

Actual result

1. Returns the path

/var/www/vhosts/website-net/subdomain-website-net/._hiddenTemp

2. Returns an empty path

``

Additional comments

Plesk servers use the domain/subdomain pattern 2 so this is a live issue.

Additionally the use of hidden files/folders is a valid and security enhancing use case - setting the Joomla tmp or log directory to a hidden *nix folder is a good thing. Also can be used to install a hidden Joomla installation in an obscure and hidden sub-folder of a live site.