Merge branch '3.10-dev' into 4.0-dev

.github/SECURITY.md

@@ -11,7 +11,7 @@ This document outlines security procedures and policies for the `Joomla! Project
 
 The `Joomla` team and community take all security bugs in `Joomla` seriously. The Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
 
-If you find a possible vulnerability, please report it to the JSST using the [online form](https://developer.joomla.org/security/contact-the-team.html) or via email at [email protected] 
+If you find a possible vulnerability, please report it to the JSST using the [online form](https://developer.joomla.org/security/contact-the-team.html) or via email at [email protected]
 
 We maintain a list of [GPG keys and addresses](https://developer.joomla.org/security/gpg-keys.html) for the [email protected] address and members of the JSST to allow signed and encrypted communications.
 

administrator/components/com_categories/src/Model/CategoryModel.php

@@ -379,6 +379,32 @@ protected function loadFormData()
 		return $data;
 	}
 
+	/**
+	 * Method to validate the form data.
+	 *
+	 * @param   JForm   $form   The form to validate against.
+	 * @param   array   $data   The data to validate.
+	 * @param   string  $group  The name of the field group to validate.
+	 *
+	 * @return  array|boolean  Array of filtered data if valid, false otherwise.
+	 *
+	 * @see     JFormRule
+	 * @see     JFilterInput
+	 * @since   3.9.23
+	 */
+	public function validate($form, $data, $group = null)
+	{
+		if (!JFactory::getUser()->authorise('core.admin', $data['extension']))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
+		return parent::validate($form, $data, $group);
+	}
+
 	/**
 	 * Method to preprocess the form.
 	 *

administrator/components/com_config/forms/application.xml

@@ -150,6 +150,7 @@
 			showon="cache_handler:redis"
 			autocomplete="off"
 			size="30"
+			hint="***************"
 		/>
 
 		<field
@@ -367,6 +368,7 @@
 			showon="ftp_enable:1"
 			autocomplete="off"
 			size="25"
+			hint="***************"
 		/>
 
 		<field
@@ -435,6 +437,7 @@
 			showon="proxy_enable:1"
 			autocomplete="off"
 			size="25"
+			hint="***************"
 		/>
 
 	</fieldset>
@@ -613,6 +616,7 @@
 			filter="raw"
 			autocomplete="off"
 			size="30"
+			hint="***************"
 		/>
 
 	</fieldset>
@@ -898,6 +902,7 @@
 			showon="session_handler:redis"
 			autocomplete="off"
 			size="30"
+			hint="***************"
 		/>
 
 		<field

administrator/components/com_config/src/Model/ApplicationModel.php

@@ -44,6 +44,14 @@
  */
 class ApplicationModel extends FormModel
 {
+	/**
+	 * Array of protected password fields from the configuration.php
+	 *
+	 * @var    array
+	 * @since  3.9.23
+	 */
+	private $protectedConfigurationFields = array('password', 'secret', 'ftp_pass', 'smtppass', 'redis_server_auth', 'session_redis_server_auth');
+
 	/**
 	 * Method to get a form object.
 	 *
@@ -278,6 +286,15 @@ public function validateDbConnection($data)
 			}
 		}
 
+		// Unset all protected config fields to empty
+		foreach ($this->protectedConfigurationFields as $fieldKey)
+		{
+			if (isset($data[$fieldKey]))
+			{
+				$data[$fieldKey] = '';
+			}
+		}
+
 		return $data;
 	}
 
@@ -294,6 +311,15 @@ public function save($data)
 	{
 		$app = Factory::getApplication();
 
+		// Try to load the values from the configuration file
+		foreach ($this->protectedConfigurationFields as $fieldKey)
+		{
+			if (isset($data[$fieldKey]) && empty($data[$fieldKey]))
+			{
+				$data[$fieldKey] = $app->get($fieldKey);
+			}
+		}
+
 		// Check that we aren't setting wrong database configuration
 		$options = array(
 			'driver'   => $data['dbtype'],

administrator/components/com_config/src/Model/ComponentModel.php

@@ -185,6 +185,11 @@ public function save($data)
 		// Save the rules.
 		if (isset($data['params']) && isset($data['params']['rules']))
 		{
+			if (!Factory::getUser()->authorise('core.admin', $data['option']))
+			{
+				throw new \RuntimeException(Text::_('JLIB_APPLICATION_ERROR_SAVE_NOT_PERMITTED'));
+			}
+
 			$rules = new Rules($data['params']['rules']);
 			$asset = Table::getInstance('asset');
 

administrator/components/com_content/src/Model/ArticleModel.php

@@ -671,6 +671,14 @@ public function validate($form, $data, $group = null)
 			}
 		}
 
+		if (!JFactory::getUser()->authorise('core.admin', 'com_content'))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
 		return parent::validate($form, $data, $group);
 	}
 

administrator/components/com_fields/src/Model/FieldModel.php

@@ -921,6 +921,32 @@ protected function loadFormData()
 		return $data;
 	}
 
+	/**
+	 * Method to validate the form data.
+	 *
+	 * @param   JForm   $form   The form to validate against.
+	 * @param   array   $data   The data to validate.
+	 * @param   string  $group  The name of the field group to validate.
+	 *
+	 * @return  array|boolean  Array of filtered data if valid, false otherwise.
+	 *
+	 * @see     JFormRule
+	 * @see     JFilterInput
+	 * @since   3.9.23
+	 */
+	public function validate($form, $data, $group = null)
+	{
+		if (!JFactory::getUser()->authorise('core.admin', 'com_fields'))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
+		return parent::validate($form, $data, $group);
+	}
+
 	/**
 	 * Method to allow derived classes to preprocess the form.
 	 *

administrator/components/com_fields/src/Model/GroupModel.php

@@ -265,6 +265,32 @@ protected function preprocessForm(Form $form, $data, $group = 'content')
 		}
 	}
 
+	/**
+	 * Method to validate the form data.
+	 *
+	 * @param   JForm   $form   The form to validate against.
+	 * @param   array   $data   The data to validate.
+	 * @param   string  $group  The name of the field group to validate.
+	 *
+	 * @return  array|boolean  Array of filtered data if valid, false otherwise.
+	 *
+	 * @see     JFormRule
+	 * @see     JFilterInput
+	 * @since   3.9.23
+	 */
+	public function validate($form, $data, $group = null)
+	{
+		if (!JFactory::getUser()->authorise('core.admin', 'com_fields'))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
+		return parent::validate($form, $data, $group);
+	}
+
 	/**
 	 * Method to get the data that should be injected in the form.
 	 *

administrator/components/com_joomlaupdate/restore.php

@@ -869,7 +869,7 @@ public function __construct()
 	 */
 	public function __wakeup()
 	{
-		if ($this->currentPartNumber >= 0)
+		if ($this->currentPartNumber >= 0 && !empty($this->archiveList[$this->currentPartNumber]))
 		{
 			$this->fp = @fopen($this->archiveList[$this->currentPartNumber], 'rb');
 			if ((is_resource($this->fp)) && ($this->currentPartOffset > 0))

administrator/components/com_menus/src/Model/MenuModel.php

@@ -205,6 +205,32 @@ protected function loadFormData()
 		return $data;
 	}
 
+	/**
+	 * Method to validate the form data.
+	 *
+	 * @param   JForm   $form   The form to validate against.
+	 * @param   array   $data   The data to validate.
+	 * @param   string  $group  The name of the field group to validate.
+	 *
+	 * @return  array|boolean  Array of filtered data if valid, false otherwise.
+	 *
+	 * @see     JFormRule
+	 * @see     JFilterInput
+	 * @since   3.9.23
+	 */
+	public function validate($form, $data, $group = null)
+	{
+		if (!JFactory::getUser()->authorise('core.admin', 'com_menus'))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
+		return parent::validate($form, $data, $group);
+	}
+
 	/**
 	 * Method to save the form data.
 	 *

administrator/components/com_modules/src/Model/ModuleModel.php

@@ -903,6 +903,30 @@ protected function preprocessForm(Form $form, $data, $group = 'content')
 		parent::preprocessForm($form, $data, $group);
 	}
 
+	/**
+	 * Loads ContentHelper for filters before validating data.
+	 *
+	 * @param   object  $form   The form to validate against.
+	 * @param   array   $data   The data to validate.
+	 * @param   string  $group  The name of the group(defaults to null).
+	 *
+	 * @return  mixed  Array of filtered data if valid, false otherwise.
+	 *
+	 * @since   1.1
+	 */
+	public function validate($form, $data, $group = null)
+	{
+		if (!Factory::getUser()->authorise('core.admin', 'com_modules'))
+		{
+			if (isset($data['rules']))
+			{
+				unset($data['rules']);
+			}
+		}
+
+		return parent::validate($form, $data, $group);
+	}
+
 	/**
 	 * Method to save the form data.
 	 *

administrator/components/com_privacy/src/Controller/RequestController.php

@@ -145,6 +145,9 @@ public function complete($key = null, $urlVar = null)
 	 */
 	public function emailexport()
 	{
+		// Check for request forgeries.
+		$this->checkToken('get');
+
 		/** @var ExportModel $model */
 		$model = $this->getModel('Export');
 

administrator/components/com_privacy/tmpl/requests/default.php

@@ -78,7 +78,7 @@
 									<?php if ($item->status == 1 && $item->request_type === 'export') : ?>
 										<a class="btn tbody-icon" href="<?php echo Route::_('index.php?option=com_privacy&task=request.export&format=xml&id=' . (int) $item->id); ?>" title="<?php echo Text::_('COM_PRIVACY_ACTION_EXPORT_DATA'); ?>"><span class="icon-download" aria-hidden="true"></span><span class="sr-only"><?php echo Text::_('COM_PRIVACY_ACTION_EXPORT_DATA'); ?></span></a>
 										<?php if ($this->sendMailEnabled) : ?>
-											<a class="btn tbody-icon" href="<?php echo Route::_('index.php?option=com_privacy&task=request.emailexport&id=' . (int) $item->id); ?>" title="<?php echo Text::_('COM_PRIVACY_ACTION_EMAIL_EXPORT_DATA'); ?>"><span class="icon-envelope" aria-hidden="true"></span><span class="sr-only"><?php echo Text::_('COM_PRIVACY_ACTION_EMAIL_EXPORT_DATA'); ?></span></a>
+											<a class="btn tbody-icon" href="<?php echo Route::_('index.php?option=com_privacy&task=request.emailexport&id=' . (int) $item->id . '&' . Factory::getSession()->getFormToken() . '=1'); ?>" title="<?php echo Text::_('COM_PRIVACY_ACTION_EMAIL_EXPORT_DATA'); ?>"><span class="icon-envelope" aria-hidden="true"></span><span class="sr-only"><?php echo Text::_('COM_PRIVACY_ACTION_EMAIL_EXPORT_DATA'); ?></span></a>
 										<?php endif; ?>
 									<?php endif; ?>
 									<?php if ($item->status == 1 && $item->request_type === 'remove') : ?>

administrator/components/com_users/src/Model/UsersModel.php

@@ -27,6 +27,14 @@
  */
 class UsersModel extends ListModel
 {
+	/**
+	 * A blacklist of filter variables to not merge into the model's state
+	 *
+	 * @var    array
+	 * @since  3.9.23
+	 */
+	protected $filterBlacklist = array('groups', 'excluded');
+
 	/**
 	 * Override parent constructor.
 	 *

administrator/language/en-GB/lib_joomla.ini

@@ -575,6 +575,7 @@ JLIB_INSTALLER_AVAILABLE_UPDATE_DB_TYPE="For the extension %1$s version %2$s is
 JLIB_INSTALLER_AVAILABLE_UPDATE_PHP_VERSION="For the extension %1$s version %2$s is available, but it requires at least PHP version %3$s while your system only has %4$s"
 JLIB_INSTALLER_DEFAULT_STYLE="%s - Default"
 JLIB_INSTALLER_DISCOVER="Discover"
+JLIB_INSTALLER_DISCOVER_INSTALL="Discover Install"
 JLIB_INSTALLER_ERROR_CANNOT_UNINSTALL_CHILD_OF_PACKAGE="The %s extension is part of a package which does not allow individual extensions to be uninstalled."
 JLIB_INSTALLER_ERROR_COMP_DISCOVER_STORE_DETAILS="Component Discover install: Failed to store component details."
 JLIB_INSTALLER_ERROR_COMP_FAILED_TO_CREATE_DIRECTORY="Component %1$s: Failed to create folder: %2$s."

components/com_content/src/View/Category/FeedView.php

@@ -65,7 +65,12 @@ protected function reconcileNames($item)
 			$item->slug = $item->alias ? ($item->id . ':' . $item->alias) : $item->id;
 
 			// URL link to article
-			$link = Route::_(RouteHelper::getArticleRoute($item->slug, $item->catid, $item->language));
+			$link = Route::_(
+				RouteHelper::getArticleRoute($item->slug, $item->catid, $item->language),
+				true,
+				$app->get('force_ssl') == 2 ? \JRoute::TLS_FORCE : \JRoute::TLS_IGNORE,
+				true
+			);
 
 			$item->description .= '<p class="feed-readmore"><a target="_blank" href="' . $link . '" rel="noopener">'
 				. Text::_('COM_CONTENT_FEED_READMORE') . '</a></p>';

components/com_content/src/View/Featured/FeedView.php

@@ -59,7 +59,7 @@ public function display($tpl = null)
 			$row->slug = $row->alias ? ($row->id . ':' . $row->alias) : $row->id;
 
 			// URL link to article
-			$link = Route::_(RouteHelper::getArticleRoute($row->slug, $row->catid, $row->language));
+			$link = RouteHelper::getArticleRoute($row->slug, $row->catid, $row->language);
 
 			$description = '';
 			$obj = json_decode($row->images);
@@ -77,7 +77,7 @@ public function display($tpl = null)
 			// Load individual item creator class
 			$item           = new FeedItem;
 			$item->title    = $title;
-			$item->link     = $link;
+			$item->link     = Route::_($link);
 			$item->date     = $row->publish_up;
 			$item->category = array();
 
@@ -107,7 +107,8 @@ public function display($tpl = null)
 			// Add readmore link to description if introtext is shown, show_readmore is true and fulltext exists
 			if (!$params->get('feed_summary', 0) && $params->get('feed_show_readmore', 0) && $row->fulltext)
 			{
-				$description .= '<p class="feed-readmore"><a target="_blank" href="' . $item->link . '" rel="noopener">'
+				$link = Route::_($link, true, $app->get('force_ssl') == 2 ? Route::TLS_FORCE : Route::TLS_IGNORE, true);
+				$description .= '<p class="feed-readmore"><a target="_blank" href="' . $link . '" rel="noopener">'
 					. Text::_('COM_CONTENT_FEED_READMORE') . '</a></p>';
 			}