Softening the requirement to use _JEXEC security in the code (PH2)

[dryabov]

The standard _JEXEC guard

defined('_JEXEC') or die;

was introduced in Joomla! 1.0. At that time OOP wasn't so popular, and most of the files in 3rdparty extensions were messy of includes, function declarations, and actual code. As a result, those files could be used as an entry point, i.e. requested directly and executed. And _JEXEC guard effectively solved this kind of issue.

Nowadays, thanks to the class loader, most PHP files are just a class declaration without any other code that can be executed directly and lead to a security issue. That's why I suggest to modify the PH2 rule from JED knowledgebase (https://extensions.joomla.org/support/knowledgebase/error-codes/submission-error-codes/) by allowing to don't use the _JEXEC guard for declaration-only files that

• contain namespace and use statements (both are optional) followed by a class/interface/trait/function declaration only and
• don't contain <?php/?> except the leading <?php at the beginning of php file.

PS. Corresponding patch for JED Checker is awaiting here: https://github.com/joomla-extensions/jedchecker/pull/75

[Llewellynvdm]

This is not going to happen any time soon as far as I can tell. This is a very basic and simple security measure, and yes it may not always be needed, but it is not really in the way either.

The only exception to this rule is with external libraries. So if you need direct access to a file via CLI or other use this convention: https://github.com/joomla/joomla-cms/blob/staging/cli/update_cron.php#L16