Menu Content

Support

> Forums, FAQs & Paid Support
Welcome, Guest
Username Password: Remember me

URL did not pass the variable filter test.
(1 viewing) (1) Guest
Support forum for users using free edition of JoomSEF 3 (Joomla 1.5 compatible). These forums are mainly for mutual help between users.

Please note that due to our capacity limitations, we do not monitor these forums regularly.
  • Page:
  • 1

TOPIC: URL did not pass the variable filter test.

URL did not pass the variable filter test. 14 years, 6 months ago #12368

Hi,
First of all congratulations for the excellent job you guys have put in place. I’ve downloaded the free edition today, and I love everything I’ve seen till now.
One of the decisive factors to pick joomSEF was the variable filtering, and it is here where I’m focusing my testing. It is definitely a very exciting feature and I’m seeing it as an extra security layer in my joomla site.
Unfortunately I came upon something that in my opinion could be better.
Having set same basic rules, and told SEF to ‘not process at all’, I get a page with the following page:
Content: www.websites.com/index.php?vars... URL did not pass the variable filter test.
Response code: 200
Well in my opinion it shouldn’t be a 200 but a 40x or even 50x, and also there should be a possibility to point the site to whatever error page was set in the main joomSEF configuration.
I think something like the following should be enough (/components/com_sef/joomsef.php)
if( !JoomSEF::_varFilterTest($uri, $failedVars) )
{
 
if ($sefConfig->page404 > 0)
{
//need to retrieve the page
$link = ...
global $mainframe;
$mainframe->redirect($link, '', 404);
 
}
 
die($uri->toString() . '<br />' . JText::_('URL did not pass the variable filter test.'));
}

Do you think we could have this in the future releases?

Re:URL did not pass the variable filter test. 14 years, 6 months ago #12415

I matured the code a bit further and came up with the following

in components/com_sef/joomsef.php line 1203
replace this
if( $params->get('varFilterFail', '0') == '1' ) {
// We need to test the URL using variable filter
// in order to stop its further processing in case it fails
$failedVars = array();
if( !JoomSEF::_varFilterTest($uri, $failedVars) )
{
die($uri->toString() . '<br />' . JText::_('URL did not pass the variable filter test.'));
}
}


for this
if( $params->get('varFilterFail', '0') == '1' ) {
// We need to test the URL using variable filter
// in order to stop its further processing in case it fails
$failedVars = array();
if( !JoomSEF::_varFilterTest($uri, $failedVars) )
{
// redirect to the error page
if ($sefConfig->showMessageOn404) {
$mosmsg = 'FILE NOT FOUND: '.$route;
$mainframe->enqueueMessage($mosmsg);
}
else $mosmsg = '';
 
$link = '';
if ($sefConfig->page404 == '0') {
$db = JFactory::getDBO();
$sql = 'SELECT `id` FROM `#__content` WHERE `title`= "404"';
$db->setQuery($sql);
 
if (($id = $db->loadResult()))
$link = 'index.php?option=com_content&view=article&id=' . (int) $id;
}
elseif ($sefConfig->page404 == '9999999') {
$menu =& JSite::getMenu(true);
$item = $menu->getDefault();
$link = $item->link;
}
else {
$id = $sefConfig->page404;
$link = 'index.php?option=com_content&view=article&id=' . (int) $id;
}
 
// If custom Itemid set, use it
if ($sefConfig->use404itemid) {
$link .= '&Itemid=' . $sefConfig->itemid404;
}
 
//JoomSEF::_sendHeader('HTTP/1.0 506 Proxy Authentication Required'); //so it does not make sense mixed 506 with 407 error codes
header("HTTP/1.0 404 Not Found");
 
if ($link)
{
 
// Try to find the non-SEF URL in the database - don't create new!
$oldDisable = $sefConfig->disableNewSEF;
$sefConfig->disableNewSEF = true;
$sef = JRoute::_($link);
// Restore the configuration
$sefConfig->disableNewSEF = $oldDisable;
 
$f = $l = '';
if( !headers_sent($f, $l) )
{
$mainframe =& JFactory::getApplication();
$mainframe->redirect($sef, $mosmsg, 'error');
exit();
} else {
JoomSEF::_headers_sent_error($f, $l, __FILE__, __LINE__);
}
}
 
die($uri->toString() . '<br />' . JText::_('URL did not pass the variable filter test.'));
}
}


this will consider all the scenarios for the 404 error page:
- pointing to an existing article
- pointing to homepage
- default 404 page

I was not able to change the response headers to something like 404 or 500 but I think it would be easy for the joomSEF team to do that bit.

As I said earlier I think this could be a nice thing to have as it looks a lot better than a
die($uri->toString() . '<br />' . JText::_('URL did not pass the variable filter test.'));

But I would like to ear other opinions,
specially from the joomsef development team.

Regards

Re:URL did not pass the variable filter test. 14 years, 6 months ago #12429

  • dajo
  • OFFLINE
  • Posts: 5069
Hello,

Thanks for your suggestion, we'll implement it in next version.

Best regards,
ARTIO Support Team
ARTIO Support Team

Re:URL did not pass the variable filter test. 14 years, 6 months ago #12586

That’s great news David :)

Another thing that I’m willing to put some time into is to extend the variable sanitization to include post variables as well and the possibility for the admin to be alerted when something gets blocked that is a excellent way to fine-tune the settings.

The idea is to use the current variable filtering interface but to inbuilt the possibility to define if it is a post or a get variable.

Would you guys be interested in something like this?

If so, I would like to offer my help to the project.
  • Page:
  • 1
User Login Empty