The Joomla team released a security update today.
Joomla 3.7.1 fixes a high priority security issue, plus some bugs. The official announcement is here.
As we find out more about 3.7.1, we're going to update this post with things you need to know.
Which Joomla versions are impacted?
The security issue was in the custom fields extension, which was added in Joomla 3.7.0.
So any site that was not updated to 3.7.0 is not impacted. But, this is a great time to update. There's zero excuse for not moving to 3.7.1 today.
Have specific details been released?
Yes. The issue was reported by Sucuri, and they have a detailed write-up on the technical issues.
What about Joomlashack extensions?
To solve today's security issue, 3.7.1 introduces new and safer code that impacts the way that Joomla filters input. Input filtering is *the* big deal for any website. Remember the Drupalgeddon issue in 2015? That was also an input filtering problem.
Because this issue was in the Joomla core, our extensions are not impacted. However, it has inspired us to a new round of code cleanup, focused on improving our own input filtering. In particular, we are updating Joomlashack's extensions to remove all use of the JRequest class. JRequest has been deprecated since Joomla 1.7, and it is an out-of-date way to filter inputs.
If you are an extension or template developer, check your code for the JRequest class. We recommend that you refactor to use the JInput object from the application instead. Make sure to use the correct filters, according to the expected data type.
This change is really important specially when you are retrieving variable values from the user for use in database queries (select, update or insert data). If you do not filter properly, you will leave your code vulnerable.
Here at Joomlashack, we had removed almost all examples of JRequest, but this week's extension updates will finally remove all uses from our code.
About the author
