Restricted access and Legacy extensions

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7985
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Restricted access and Legacy extensions

Post by mcsmom » Fri Aug 17, 2007 2:02 pm

In 1.0 extensions, at the top there is

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

for 1.5 extensions it is

defined( '_JEXEC' ) or die( 'Restricted access' );

Is this one of the differences that is handled by having legacy enabled?

Also, if I am fixing other problems in getting an extension to work in 1.5, this is an easy thing to do, is there any reason not to make this change?
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

gregdev
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Sat Jul 15, 2006 6:27 pm
Contact:

Re: Restricted access and Legacy extensions

Post by gregdev » Sat Aug 18, 2007 6:47 pm

mcsmom wrote: In 1.0 extensions, at the top there is

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

for 1.5 extensions it is

defined( '_JEXEC' ) or die( 'Restricted access' );

Is this one of the differences that is handled by having legacy enabled?
Yes, the legacy plugin defines _VALID_MOS.
Also, if I am fixing other problems in getting an extension to work in 1.5, this is an easy thing to do, is there any reason not to make this change?
I suppose that depends on what your intentions are. If you want your extension to support both J! 1.0.x and 1.5, then you may want to check for one of the two to be defined, or just keep using _VALID_MOS with the legacy plugin.

Greg


Locked

Return to “Security in Joomla! 1.5”