RSS Feed format issue
By DeeEmm on Monday, 04 May 2015
Posted in General Issues
Replies 12
Likes 0
Views 1.3K
Votes 0
I use the EasySocial Stream RSS feed to post to Facebook and Twitter using either dlvr.it or hoostsuite, this is a very easy way to post to multiple social media streams and avoids issues with duplicate content and dedicated Facebook / Twitter scripts for each aspect of the site. I previously did the same with JomSocial with no issues.

I have found that with EasySocial there is an issue with the RSS format. Whilst the RSS format is compliant, the actual content doesn't follow the W3C RSS specification

The problem is that the item link does not link directly to the item but instead links to the stream item instead.

Eg rather than linking to events/my-event the link links to stream/item/my-event

This means that when the aggregation services scrape the item URL in the feed for information such as images they pull the image from the stream item and not the actual item itself. This means that the wrong image is displayed and the wrong data linked to.

In fact if you click on the link in the RSS feed it takes you to a nonsense stream item.

I propose that the stream/item/my-event link is replaced with the actual item link as per W3C RSS outline...

<channel>

  <title>Feed Title</title>

  <link>http://www.Sitelink.com</link>

  <description>Feed Description</description>

  <item>

    <title>Item Title</title>

    <link>http://www.itemlink.com</link>

    <description>Item Description</description>

  </item>

   <item>

    <title>Item 2 Title</title>

    <link>http://www.item2links.com</link>

    <description>Item 2 Description</description>

  </item>

</channel>


If this is not a change that you wish to make, where can I make these changes?

DM
Hi DeeEmm,

The delay of this reply wasn't on purpose,

This is not really a security issue. The db username and password that you saw actually came from JTable object. When you load a record with JTable, the object returned will include these information. E.g, loading a Joomla category using JTable.



$category = JTable::getInstance('Category');

$category->load(1);



print_r($category);

exit;


From the above example, you will see the username/password data actually came from JTable object itself.
Arlex Wong
·
Friday, 08 May 2015 16:39
·
0 Likes
·
0 Votes
·
0 Comments
·
First image shows incorrect data as scraped on Facebook (wrong image)

Second image shows nonsense stream item that the RSS item links to

Third image shows actual event page.

The RSS item link should really point directly to the event itself.

DM
DeeEmm
·
Monday, 04 May 2015 23:15
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello DM,

This is actually correct because when you share a stream item, it should actually link to the "action" rather than the "object". For instance, if someone were to join a group, you want others to see that person's action rather than the group.

If we were to change this behavior, imagine when there are 20 different group joins to the same group. Your feed linkage would be irrelevant since it would result into displaying 20 same group objects.
Mark
·
Tuesday, 05 May 2015 00:31
·
0 Likes
·
0 Votes
·
0 Comments
·
Not so, the title contains unique data about the action, but the link should take the user to view the object...

e.g.
<title>DeeEmm Joined the group EasySocial</title>

<link>http://www.itemlink.com</link>


This way each of the 20 joins to the group will display something different...

User DeeEmm joined EasySocial

User Mark joined EasySocial

User Jenny joined EasySocial

User Mick joined EasySocial

User....


Well you get my point.

The stream is just an information stream - its purpose is exactly the same as the RSS feed - to notify users of activities in the community. The stream is not the community itself. This relationship between the RSS feed and the stream is fundamentally flawed.

Basically what we currently have is an RSS feed that links to the Stream that links to the actual activity - This expects the user to click twice to get to the object that the RSS item actually refers to. This is bad practice. One click is all you should ever need. What's worse is that it does not link to the actual stream item but to some non-existent 'group' (try it - its not very good). It really does not work very well as it doesn't even work in accordance with your designed intent.

What you are promoting is the stream itself not the object, when in truth no one is interested in this. The RSS feed should mirror the contents of the stream not link to it. The RSS feed is simply another vehicle for communication, Same as the stream, or notifications, or email notifications; ultimately the user is interested in the object itself, not the stream item about the object.

DM
DeeEmm
·
Tuesday, 05 May 2015 11:14
·
0 Likes
·
0 Votes
·
0 Comments
·
Hmnnnn, so I decided to write an extension to generate an RSS feed to my liking as it will probably be easier than trying to change the way that you perceive the intent of RSS. So to make a start I used the example from the developer documentation...



require_once( JPATH_ROOT . '/administrator/components/com_easysocial/includes/foundry.php' );

$data = Foundry::stream()->get( $options );


So I print_r() the output to the screen (as you do) to see what it contains and what do I see staring me in the face?

MY DATABASE USERNAME AND PASSWORD!!!

I can also see the email addresses and hashed passwords of the users that have posted to the stream items.

NOT GOOD!!!

No reason to have this data available within the stream object. An unnecessary vulnerability waiting to happen.

My expectation would be to see the stream object data and nothing else. If I want to know info about the user I will interrogate the user object. I cannot think of any reason at all to want to expose the database username and password to a class object.

Please remove this data from this object (and any other objects that have the same data).

DM
DeeEmm
·
Tuesday, 05 May 2015 22:46
·
0 Likes
·
0 Votes
·
0 Comments
·
Dm, I really don't see why this as an issue at all. If you ever run the codes below, you'll see your passwords too.



$config = JFactory::getConfig();



var_dump($config);

exit;


I don't see a point in hiding these objects from the stream object because the password that you see from the stream object is from Joomla's configuration.
Mark
·
Wednesday, 06 May 2015 03:13
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark,

I apologise in advance if my manner seems harsh but it's just our Aussie way

Joomla has it's own in-built security, it is maintained and reviewed by a team much larger than yours that test for security issues before releasing updates to the public. Security exploits in Joomla are pretty rare but still do happen from time to time, security exploits in third party extensions are much more common and form 95% of all exploits.

Without meaning to sound rude, since installing EasySocial some two or three weeks ago I have lodged some 15 support tickets, many of which relate to bugs. With so many issues it appears to me that it is really only a matter of time until you have a security issue with one of your releases. There is then a possibility that this allows this object to be exposed and at the point that this happens you will be giving thousand of script kiddies free access to sensitive data without them even having to try. This is not a place that you want to visit, believe me.

It all comes down to risk management. There is really no need for this data to be returned in any of your components. There is a database abstraction layer in Joomla specifically so that you do not need to make the database calls yourself, you simply utilise Joomlas in-built JDatabase method without ever having to need to access the password or username.

All it takes is one small mistake that allows that object to be exposed and script kiddies the world over will be rubbing their hands together.

Now, don't take this the wrong way, it is not that I am saying this will ever happen, it likely will not, but if for some reason it did, the fact that you expose the configuration variables within your component means that there is a much higher potential for damage than if you did not.

In short. You do not need to expose them, so don't.

If you are not prepared to remove these variables from your data object, then the very least that you could do is obfuscate the username and PLAIN TEXT password so that in the event of a security issue they are not human readable.

Mistakes happen. Minimise your losses before the event and protect your reputation. Don't wait until after the event and think 'jeesh I wish I had taken note of that DM bloke'.

DM
DeeEmm
·
Wednesday, 06 May 2015 10:52
·
0 Likes
·
0 Votes
·
0 Comments
·
Mark,

Any comment?

DM
DeeEmm
·
Friday, 08 May 2015 08:55
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Arlex,

Thanks for the reply. I can see that the issue is not originating with ES.

I understand that it is not a security issue in itself, but if there was a security issue then the risk of exposing the database username and password is greatly increased, the risk is similar to that of using global vars.

Call me old school but that's fckd. It's not good coding practice at all. I would definitely have expected better from Joomla. The database calls should be sewn up within a private class and utilize class abstraction to allow only the methods to be exposed.

I will report over at Joomla and see what they say.

DM
DeeEmm
·
Friday, 08 May 2015 20:20
·
0 Likes
·
0 Votes
·
0 Comments
·
Okay, keep us updated then what Joomla respond.
Arlex Wong
·
Saturday, 09 May 2015 02:33
·
0 Likes
·
0 Votes
·
0 Comments
·
Will do.
DeeEmm
·
Saturday, 09 May 2015 09:52
·
0 Likes
·
0 Votes
·
0 Comments
·
Keep us updated
Ezrul Fazwan
·
Saturday, 09 May 2015 14:16
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post