Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure the URL installer does not allow other schemas then http and https #1575

Closed
jgerman-bot opened this issue Jan 24, 2021 · 0 comments · Fixed by #1579
Closed

Make sure the URL installer does not allow other schemas then http and https #1575

jgerman-bot opened this issue Jan 24, 2021 · 0 comments · Fixed by #1579
Assignees
@tecpromotion
Labels
core language change Joomla! 3.x

Comments

@jgerman-bot
Copy link

New language relevant PR in upstream repo: joomla/joomla-cms#32087 Here are the upstream changes:

Click to expand the diff! 
diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php
index 78f098886f1c..d3eaa3a76f1e 100644
--- a/administrator/components/com_installer/models/install.php
+++ b/administrator/components/com_installer/models/install.php
@@ -385,6 +385,16 @@ protected function _getPackageFromUrl()
 			return false;
 		}
 
+		// We only allow http & https here
+		$uri = new JUri($url);
+
+		if (!in_array($uri->getScheme(), ['http', 'https']))
+		{
+			JError::raiseWarning('', JText::_('COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEME'));
+
+			return false;
+		}
+
 		// Handle updater XML file case:
 		if (preg_match('/\.xml\s*$/', $url))
 		{
diff --git a/administrator/language/en-GB/en-GB.com_installer.ini b/administrator/language/en-GB/en-GB.com_installer.ini
index 20fc336d84e2..43d0df516942 100644
--- a/administrator/language/en-GB/en-GB.com_installer.ini
+++ b/administrator/language/en-GB/en-GB.com_installer.ini
@@ -123,6 +123,7 @@ COM_INSTALLER_MSG_DISCOVER_PURGEDDISCOVEREDEXTENSIONS="Cleared discovered extens
 COM_INSTALLER_MSG_ERROR_CANT_CONNECT_TO_UPDATESERVER="Can't connect to %s"
 COM_INSTALLER_MSG_INSTALL_ENTER_A_URL="Please enter a URL"
 COM_INSTALLER_MSG_INSTALL_INVALID_URL="Invalid URL"
+COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEME="Please enter a valid URL starting with http or https."
 COM_INSTALLER_MSG_INSTALL_NO_FILE_SELECTED="No file selected."
 COM_INSTALLER_MSG_INSTALL_PATH_DOES_NOT_HAVE_A_VALID_PACKAGE="Path does not have a valid package."
 COM_INSTALLER_MSG_INSTALL_PLEASE_ENTER_A_PACKAGE_DIRECTORY="Please enter a package folder."
diff --git a/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini b/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini
index 0ef8437c7d8f..40264f3d317c 100644
--- a/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini
+++ b/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini
@@ -5,6 +5,5 @@
 
 PLG_INSTALLER_URLINSTALLER_BUTTON="Check and Install"
 PLG_INSTALLER_URLINSTALLER_INSTALLER_URLFOLDERINSTALLER="Installer - Install from URL."
-PLG_INSTALLER_URLINSTALLER_NO_URL="Please enter a URL."
 PLG_INSTALLER_URLINSTALLER_PLUGIN_XML_DESCRIPTION="This plugin allows you to install packages from a URL."
 PLG_INSTALLER_URLINSTALLER_TEXT="Install from URL"
diff --git a/plugins/installer/urlinstaller/tmpl/default.php b/plugins/installer/urlinstaller/tmpl/default.php
index 2812302b81b4..053f6799f37d 100644
--- a/plugins/installer/urlinstaller/tmpl/default.php
+++ b/plugins/installer/urlinstaller/tmpl/default.php
@@ -16,16 +16,9 @@
 	{
 		var form = document.getElementById("adminForm");
 
-		// do field validation 
-		if (form.install_url.value == "" || form.install_url.value == "http://" || form.install_url.value == "https://") {
-			alert("' . JText::_('PLG_INSTALLER_URLINSTALLER_NO_URL', true) . '");
-		}
-		else
-		{
-			JoomlaInstaller.showLoading();
-			form.installtype.value = "url"
-			form.submit();
-		}
+		JoomlaInstaller.showLoading();
+		form.installtype.value = "url"
+		form.submit();
 	};
 ');
 ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tecpromotion tecpromotion

Labels
core language change Joomla! 3.x
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make sure the URL installer does not allow other schemas then http and https tecpromotion/joomla
3 participants
@tecpromotion @zero-24 @jgerman-bot