New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supplying multiple HTTP parameters with the same name may cause Matomo to interpret values in unanticipated ways. #13069
Comments
Why don't you whitelist the exact url of the optout you have included? |
I already do that, but this always requires the correct order of the parameters in the hope that they would not change. Maybe that's not a real bug, but I find Matomo's behavior strange in this case. |
Isn't it kind of common behavior that only the last value of a parameter is used if it is given multiple times? |
I think that's PHP itself that doesn't have a specified behavior when multiple GET parameters habe the same key. I guess Matomo just uses what PHP returns in |
Yes, the interpreter should take care of evaluating the $ _GET parameter. As a framework I would block calls with several same parameters, because the intention of the call is no longer recognizable (did I want to have OptOut or Login page?) |
But Matomo has no way to see if a get parameter was specified twice. <?php
print_r($_GET); returns only |
Ok then the behavior as mentioned by @sgiehl is the correct behavior. So that always the last parameter counts. Then I have to exclude in the rewrite that the login module and the default action can be called. Thank you for the clarifying information. |
Matomo could check that by looking at |
Yes, I think that makes things worse. If it is planned then I would be glad to build less complicated rewrites :-) |
When creating rewrite rules to block the login page from the internet (only optOut should be allowed), I found some strange behavior in Matomo v3.5.1. If someone adds parameters with the same name to the URL, then the original module and action will no longer be called. This makes it difficult to block the login page
Example:
https://##matomo-url##/index.php?module=CoreAdminHome&module=Login&action=optOut&action=index
The expected behavior here should be the opt-out page, not the login page.
The text was updated successfully, but these errors were encountered: