Community Blog

Test First then Submit Report

Written by Sam Moffatt

In the last few days I've seen two issues reported with Joomla!, both of them invalid. The first of the issues I saw was a legitimate problem that we had ended up fixing. This problem in particular only occurs when third party developers alter our tables errorneously injecting invalid data (see my blog post earlier about not hacking the Core) and whilst the reporter had said that they had replicated it on 1.5.8, the sample they provided didn't work because we had fixed the problem for 1.5.8's release. Whilst a 'symptom' of the bug appeared in cases, the actual issue didn't resurface. The lesson here is that even if it looks the same you need to work through the entire process to reconfirm the bug before reporting. It is also a case for keeping up with the latest release because we do fix other issues as well as security.

The other issue that I saw was a "0day vulnerability in the wild". Thats the sort of email subject that we are especially alert to and follow up immediately. The issue in question was to deal with the way we handle password reset tokens and the reporter claimed that there was a potential for SQL injection via the token entry form in the reset part of the user component. They provided the steps replicate it and also provided the solution which I will copy here for reference:

Proposed fix:
      In ./components/com_user/controller.php
              In function confirmreset():
      Between the two lines:
      ----------------------------------------------------------------
         $token = JRequest::getVar('token', null, 'post', 'alnum');

         // Get the model
      ----------------------------------------------------------------
      This should be changed to:
      ----------------------------------------------------------------
         $token = JRequest::getVar('token', null, 'post', 'alnum');
         $token = mysql_real_escape_string($token);
         // Get the model
      ----------------------------------------------------------------

As we can see the issue in the reporters mind is that JRequest::getVar needs to have its input escaped (the addition of mysql_real_escape_string). Lets just have a look at getVar: its a function that takes five arguments with the fourth being the "return type for the variable, for valid values see JFilterInput::clean()". In this case we've selected "alnum" which is the alphanumeric filter. This filter strips anything that isn't a number or a letter, which is good since the token should be hexadecimal anyway. This is also makes the mysql_real_escape_string rather pointless because it just returns the string back anyway. However the next part that gets called is the reset model's "confirmReset" function which gets this token passed to it and has the following line:

$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

As we can see here the token gets run through the Quote function of the database class. If we look at this function it takes two arguments, the first being the string and the second being a switch to toggle 'escaping' the text which is defaulted to true. The net effect of this is that it eventually calls "mysql_real_escape_string" in the database driver, which is the item that the reporter originally suggested. As a side note we try to avoid using "mysql_real_escape_string" in these places because the user may not actually be running on MySQL, which is why the database adapters provide the string escaping functions. This way if the user does switch database systems the string is still appropriately quoted.

So whilst its great that we have people reporting issues, try to test and replicate the issue before you send it to us. In both of these cases actually trying the issue would have shown that the problem had been fixed or didn't exist.

0 Comments

Joomla! developer toolbox

Written by Wilco Jansen

Smashing magazine did a nice article about Joomla! called "Joomla! developer toolbox". The article basically is a big reference to all kind of Joomla! resources that can be used to develop a website based on Joomla!

Rock on!

4 Comments

Meet in real live on a Joomla! Event

Written by Alex Kempkens

Last year there had been about 20 Joomla!Days and other Joomla related events world wide. It was a very exciting year with a lot of people meeting all over the world. I like to thank all the organizers world wide for their contribution to the project and the intensive work they did. All I heard was that the events are great and the people love to attend them - this is really the best feedback you can get and shows the great work you did. Thank you!

And the events are still going on. 2009 has just started and already the first Joomla!Day will take place in Izmir, Turkey after that Melbourne, Australia will take place. For a longer term planing there are events scheduled in the Netherlands and United Kingdom. Specially in UK the registration is already open and you can get a special offer for early booking your tickets. The Joomla!Day in the UK will become an interesting event as many good speakers have already agreed to come. With your booking you can support the event and make it more easy that you can meet these people in real live. And you never know what happens if so many members of the working groups are on one spot at one time ;-).

The first expo we are going to visit this year will be the FOSDEM in Begium. Joomla has a stand on the exhibition and we will clearly look out to do some cute presentations. As this event is pretty close to the Development Coordinator summit you can be certain to get some of the very latest news about 1.6 during this event. Check out the forum and sent us a comment if you can join in.

Last but not least, we got the application for a Joomla!Day in Indonesia which is really great. We are still looking for Joomla!Days world wide as we like to bring Joomla also to your region. If you are interested in organizing an event or you just would like to see one please post a comment in the events forum. It is pretty likely that you will find someone near you that might help you with the event. And also the events team will support you in getting your local event organized. We have a good team of organizers which have already experience in their countries and can support you as well. Please sent your event suggest as a post in the forum and we will pick it up from there.

0 Comments

Stormy Peters: The Role of Consumers Within an Open Source Community

Written by Amy Stephen

Stormy Peters, executive director of the GNOME Foundation, published an article entitled The Role of Consumers Within an Open Source Community in this month's Open Source Business Resource.

Users are the target audience for GNOME. The GNOME Project's goal is universal access. Making sure technology is available to anyone, not just technical people, regardless of culture, financial well-being or physical ability is what GNOME is all about. The fact that people use it makes the project a success, the developers happy, and the whole thing going.

In this article, Stormy points out the importance of understanding the needs of consumers when building software and the challenge inherent in synthesizing the viewpoints and perspectives of 14 million users of GNOME technologies and software.

To begin, end users are not often involved in the project. Some reasons for low involvement signal project success, for example, when technology is very easy to work with, little assistance is required. In other cases, cultural issues might limit involvement, for example, when those less technical feel intimidated interacting with developers.

Regardless of the reasons, Stormy reminds of the importance for open source projects to consider how to best improve opportunities available for consumers to participate and lists great ways for users to get involved. By making it easier for users to participate, we enable interaction between those who need technology with those who make it possible. And, of course, that should lead to better technology.

Stormy Peters is an experienced, respected member of the open source community and I urge you to read this article and consider how we can continue to build a more welcoming environment for users to contribute to the Joomla! project.

If you Tweet, you can follow Stormy on Twitter.

0 Comments

Joomla Communication

Written by Alex Kempkens

To communicate to people is always challenging. It is so easy to be misunderstood or misinterpreted. Within the Joomla project we have a small team of very engaged community members that take care some of these communication efforts. Amy, Ron, Mitch and Wilco are doing a great job to get "the message" out on the front-page of joomla.org or support community members while contributing to the Joomla! Magazine. Thanks to all of you for that and keep up the good work.

I'm very happy that Neri Valentin-Macias (aka neriv) has joined the communications team just before Christmas. She already contributed to the project within the Google Summer of Code program and this shows again that these programs help people to get involved with Open Source Projects. Neri will help us to get some more general information about the project in order and improve the possibilities for you to get engaged with the project.

We have several ideas what can be done next. This can be by starting with new brochures that can be used by anybody to promote the project or with some specific information material that can easily be used within your language and environment. To get the things sorted out we are planing to brainstorm and give all Joomla users a chance to come up with your ideas. With a little guidance we plan to work on the various topics. First step is an update of our wiki and the invitation to give us some ideas and wishes you like to see for the community communication. This means now is the best time to register on the wiki and start getting involved with the Joomla project. May be you are the next joining one of the Joomla teams.

1 Comment