Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by petekuhn on Wednesday, 20 March 2024 15:01 CDT
I installed v7.4.9 and ran Create .htaccess
One of my components got a 500 error unsafe-url. There were no blocked requests logged.
I installed v7.4.8 and ran Create .htaccess, and the problem went away.
The URL was SITEURL/?option=com_cscvolunteerhours&view=approve&Itemid
Β
Your URL is wrong. Look at the last part &Itemid. The fact is that Itemid must always be a positive integer which corresponds to the primary key of a #__menu table entry. Since you have not provided a value, it's implicit value is NULL which is equivalent to numeric zero (0). Therefore, it is an invalid value in Joomla!, which is why the Suspicious Core Parameter feature is correctly blocking it.
You need to fix your custom component.
For what it's worth, creating a .htaccess file is irrelevant. The bug fixed in 7.4.9 was that the Suspicious Core Parameter feature always applied the CMD filter instead of an appropriate filter per core parameter (you can see this is the case in the release notes of 7.4.9). 7.4.8 did not complain because a NULL value does satisfy the CMD filter which accepts either NULL, or any string consisting of the characters a-z, A-Z, numbers 0-9, dots, and underscores.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Oh, yes, by the wayβ¦ If you want to understand what Itemid is and what it does (and how it can trip you up when developing a custom component), I have explained it in https://www.dionysopoulos.me/book/com-router-abandon-all-hope.html.Β
As to why the Suspicious Core Parameters checks for invalid values: if Joomla! detects an empty Itemid it used to be the case that it would display the page as if you provided the Itemid of the menu item marked as Home. That was the case in Joomla! 1.5 through 3.10 inclusive. Starting with Joomla! 4, this is no longer the case. You actually have a menu item ID of 0 which does not match any menu item. This means that the modules you see on the page are the modules set up to display in all pages (i.e. all menu items), not the modules set up to display in the Home menu item. While on most sites this might not be a problem, if you have set up your site in way that modules display on pages except those selected (module assignment -> On all pages except those selected) you will start seeing modules you didn't expect, which will mislead you into thinking that Joomla! is broken when, in fact, it is doing exactly what you told it to do, even though what you told it to do was nonsensical. This is known to attackers which will use this underhanded method to possibly try to peek at module content they are not supposed to see. You see the problem now, right? So, yes, it is very desirable to block this kind of practice with the Suspicious Core Parameter feature. There is method to its madness ;)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thanks. This all makes sense.
Actually, the Itemid param was an attempt to fix a problem I had with Joomla 4 where it would use the home page layout if I called a component view which had no associated menu item. I have since fixed this problem in my component Dispatcher, but I missed deleting this parameter in all cases.
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!