Closed SniperSister closed 1 week ago
fgsw
commented
2 weeks ago @ramalama can you open https://issues.joomla.org/tracker/joomla-cms/44428 and
Now the test count as successfull.
ramalama
commented
2 weeks ago I have tested this item :white_check_mark: successfully on 4982fc90bfe720500367575becf1d1bc2e1faf3c
Tested successfully as described.
Log Entries before and after identical.
Quy
commented
1 week ago The test instruction doesn't appear to run the new method. Please confirm.
SniperSister
commented
1 week ago As described, there is no option to execute the method in core. That’s why the purpose of the instructions is to confirm that legitimate use cases of that class are unaffected.
viocassel
commented
1 week ago I have tested this item :white_check_mark: successfully on 2ed7d8485477aeab6ac1bd30a3298b46fef38551
Quy
commented
1 week ago RTC
Hackwar
commented
1 week ago Thank you for your contribution!
Summary of Changes
The current implementation of the FormattedTextLogger class creates a potential code execution vulnerability if either Joomla core itself or a third party extension would have an object injection vulnerability via unserialization of user supplied input. This PR adds an exception message for that very specific case, preventing that such an attack payload would be written.
YES, I'm aware that this is a theoretical b/c break. However, weighting the pros and cons of the current implementation, I think that it's a useful change nonetheless.
Testing Instructions
Apply patch, create a log message by trying to log in into the administrator site with wrong credentials.
Actual result BEFORE applying this Pull Request
Log file is written
Expected result AFTER applying this Pull Request
Log file is written
Link to documentations
Please select:
[ ] Documentation link for docs.joomla.org:
[X] No documentation changes for docs.joomla.org needed
[ ] Pull Request link for manual.joomla.org:
[X] No documentation changes for manual.joomla.org needed