[5.2] Harden FormattedTextLogger against object injection attacks #44428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ramalama
approved these changes
Nov 8, 2024
|
@ramalama can you open https://issues.joomla.org/tracker/joomla-cms/44428 and
Now the test count as successfull. |
|
I have tested this item ✅ successfully on 4982fc9 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428. |
|
The test instruction doesn't appear to run the new method. Please confirm. |
|
As described, there is no option to execute the method in core. That’s why the purpose of the instructions is to confirm that legitimate use cases of that class are unaffected. |
|
I have tested this item ✅ successfully on 2ed7d84 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428. |
|
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44428. |
|
Thank you for your contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of Changes
The current implementation of the FormattedTextLogger class creates a potential code execution vulnerability if either Joomla core itself or a third party extension would have an object injection vulnerability via unserialization of user supplied input. This PR adds an exception message for that very specific case, preventing that such an attack payload would be written.
YES, I'm aware that this is a theoretical b/c break. However, weighting the pros and cons of the current implementation, I think that it's a useful change nonetheless.
Credits:
The general mechanism was reported by Drew Webber / mcdruid
Testing Instructions
Apply patch, create a log message by trying to log in into the administrator site with wrong credentials.
Actual result BEFORE applying this Pull Request
Log file is written
Expected result AFTER applying this Pull Request
Log file is written
Link to documentations
Please select:
Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed