Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent path disclosure, automatically hide path from warning messages and backtraces #3620

Open
mattab opened this issue Dec 16, 2012 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.

Comments

@mattab
Copy link
Member

mattab commented Dec 16, 2012

Path disclosure results to a little piece of information disclosure, the path at which piwik is setup. We better not give out the information even though it is not a problem in itself, it can be used when other attack vectors would be available. Also many users report the bug and it would reduce email traffic and overhead.

The idea would be to automatically remove the path from the error messages, backtraces, in the custom error /exception handler. We could still display the path when the Super User is logged in, just because it would help making things clear.

But for anonymous or view/admin, we should replace the path with empty string.

@mattab
Copy link
Member Author

mattab commented Jan 5, 2013

from email

a[]=
/index.php?a[]=0&b=0&format=xml&method=ExampleAPI.getSum&module=API&token_auth=anonymous
Fatal error: Unsupported operand types in
/home/piwik-demo/www/demo.piwik.org/plugins/ExampleAPI/API.php on line
100
---------------------
b[]=
/index.php/index.php?a=0&b[]=0&format=xml&method=ExampleAPI.getSum&module=API&token_auth=anonymous
Fatal error: Unsupported operand types in
/home/piwik-demo/www/demo.piwik.org/plugins/ExampleAPI/API.php on line
100
----------------------
date[]=
/index.php?action=getEvolutionGraph&columns=revenue&date[]=1&evolutionBy=revenue&idSite=2&idsite=2&module=MultiSites&period=day&viewDataTable=sparkline
Fatal error: Call to a member function toString() on a non-object in
/www2/htdocs/piguik/core/Archive.php on
line 262
----------------------
fontSize[]=
/index.php?aliasedGraph=1&apiAction=getCountry&apiModule=UserCountry&date=last10&fontSize[]=9&format=rss&idSite=2&legendAppendMetric=1&method=ImageGraph.get&module=API&outputType=0&period=day&showLegend=1&token_auth=anonymous&translateColumnNames=
Fatal error: Unsupported operand types in
/www2/htdocs/piguik/plugins/ImageGraph/API.php
on line 163

@mattab mattab added this to the Future releases milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

No branches or pull requests

1 participant