Joomla updater fails on certain server configuration

[n3t]

Steps to reproduce the issue

Install Joomla 3.9.26 to path with @ symbol in it (for example /webs/example.com/htdocs/@default/www)
Try to run Joomla updater.

Expected result

Joomla is updated to 3.9.27.

Actual result

Update fails, "Could no open archive part file ... for reading." error is displayed.

System information (as much as possible)

Joomla install path containing @ character.

Additional comments

IMHO related to #33151 and joomla-framework/filter#48 introduced in Joomla Updater in 3.9.25 version.
The issue is caused by calling InputFilter on tmp path from global configuration here

joomla-cms/administrator/components/com_joomlaupdate/models/default.php

Line 306 in be8a442

$tempdir = (string) InputFilter::getInstance(array(), array(), 1, 1)->clean($config->get('tmp_path'), 'path');

Joomla 3.9.27 does not solve this issue.

[richard67]

Who has such silly paths on a normal environment?

[n3t]

Hosting one of my clients use :)

[richard67]

Can’t they just change that? It’s really very uncommon to have such paths.

[n3t]

I asked, but for some reason, they could not (or don't want or are just lazy). They argued, that the path is legal (even with uncommon character in it).

Anyway the filter is IMHO not correct, as not only @ will cause this issue, even spaces, international characters and anything else than basic characters. I understand that usage of such characters in path is uncommon, on the other hand it is still legal path...

[brianteeman]

Just because its legal (on *nix there is only one illegal character) doesnt mean it is sensible.

[n3t]

As I said before, I understand that using "uncommon" (mainly UTF) characters is not good practice, it could cause issues on transfer to other host, during FTP connection etc... However I am experiencing this issue now, and I am not able to influence it (path is given by hosting). 3.9.25 brought big BC change, causing unability to update such sites. I think that the filter should be at least widen to additional characters from base ISO chcaracter set, not only @, but for example ~ is also often used character in path by *nix administrators (at least those I met), also hidden paths on *nix (starting with dot) will not pass the filter.

Also, how it is handled now in Joomla is not correct. The clean path filter returns empty string, if the path does not fit the regex. This causes completely wrong error message (Could not open archive, infinite loop and other), making it very difficult to detect what is going on. Also in global config there is no check or information on this. I didn't find tis in documentation. This all brings very bad user experience.

[brianteeman]

also hidden paths on *nix (starting with dot) will not pass the filter.

That is the entire point of the filter

[n3t]

Ok, I missed this. Is anything wrong with hidden folders?

[PhocaCz]

Hi,

so the question now is, is this security fix or not?

• If yes, where exactly it is described?

• If no, does it make sense to change it in minor version, especially if the Joomla user cannot control this and is dependent on the rules set on the hosting?

I by myself hate the file and folder names including specific characters like spaces, diacritics, etc. But the problem here is not banning some characters in file or folder names but changing this rule in minor version.

I don't know how often is e.g. "@" character used in folder paths but in case of "." it is standard feature on *nix and I am not sure if we can ignore probably most used OS on servers? Of course, if this will be security issue or a change done in major version, then it can be understandable.

It reminds me a bit of this topic, where it was claimed from the beginning that the problem is on the user's side and then it was enough to remove the unnecessary function (toLowerCase ()).

#30155

This is why I ask, if this is a deliberate security fix? If yes, are there some additional info. Such can be used in arguments with server hosting provider to be willing to change the characters used in the folder paths. (of course, doable for "@", '.' as standard feature cannot be changed).

[GeraintEdwards]

also hidden paths on *nix (starting with dot) will not pass the filter.

That is the entire point of the filter

Setting Joomla temp directory or logs directory in a *nix hidden folder is a security enhancement. Such a folder can't be indexed or seen by a browser even if the site is poorly configured and site indexing has been enabled by mistake.

Additionally installing test installations of Joomla in a hidden sub-folder is another security enhancement - there is no way for a search bot to accidentally find the hidden installation and reveal a test or development site to the world.

[chmst]

Closing this one for J3 as it is open for J4