Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In links to HTML/PDF reports downloads, do not show token_auth #12721

Closed
mattab opened this issue Apr 12, 2018 · 2 comments · Fixed by #14351
Closed

In links to HTML/PDF reports downloads, do not show token_auth #12721

mattab opened this issue Apr 12, 2018 · 2 comments · Fixed by #14351
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Apr 12, 2018

In Administration > Email reports, users can download an email report. The "Download" link includes the token_auth. This is problematic because token_auth are then leaked in server access logs and browser history.

-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the token_auth in the POST body.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Apr 12, 2018
@tsteur
Copy link
Member

tsteur commented Apr 12, 2018

When you POST, the reload might be problematic. Can probably simply add a controller action for this that executes the API method so no token needed etc.

@mattab mattab added this to the 3.10.0 milestone Dec 13, 2018
@mattab
Copy link
Member Author

mattab commented Dec 14, 2018

Reloading should work I think (browser would prompt "do you want to post the data?"),
but sharing the link or opening in a new window wouldn't work (as expected)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants