In links to HTML/PDF reports downloads, do not show token_auth #12721
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
In Administration > Email reports, users can download an email report. The "Download" link includes the
token_auth
. This is problematic becausetoken_auth
are then leaked in server access logs and browser history.-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the
token_auth
in the POST body.The text was updated successfully, but these errors were encountered: