Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iframe buster not implemented in reports #10185

Closed
mgonera opened this issue May 25, 2016 · 12 comments
Closed

Iframe buster not implemented in reports #10185

mgonera opened this issue May 25, 2016 · 12 comments
Labels
answered For when a question was asked and we referred to forum or answered it. Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Backlog (Help wan...

Comments

@mgonera
Copy link

mgonera commented May 25, 2016

According to #2701 all export links should be stripped out of auth_token. This isn't a case for link allowing to download file with email report content:

screen shot 2016-05-25 at 17 44 05

Users concern is that end-user may copy that link and send to someone. Then the token will be exposed.
@mgonera
Copy link
Author

mgonera commented May 25, 2016

Iframe buster related bug: #10147

@tsteur
Copy link
Member

tsteur commented May 25, 2016

I will mark it as a bug similar to #10147 . First I checked all the emails but then I got that it's actually in the UI.

While the token auth will be hidden when right click and copying it, the token auth will be still in the URL when actually clicking on it and there will be a risk for sending the link with token again. At some point we could actually build an export feature for links within the UI that never shows the token auth.

@tsteur tsteur added Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels May 25, 2016
@sgiehl
Copy link
Member

sgiehl commented May 26, 2016

Opening such reports without token_auth does not work atm, because it is an API request. API requests can currently only be authenticated using the token_auth.
Can somebody see any possible security breach in activating cookie auth for API requests? That would solve the problem for the UI, as there wouldn't be a reason to have the token_auth in URL.

@tsteur
Copy link
Member

tsteur commented May 26, 2016

We could already log in a user by using session in the API but sessions and API are rather a no no. We could store the token auth in the cookie but this would bring some more attack vectors like XSS get more relevant etc if we stored the token auth in plain text in a cookie. What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters. We would only need to adjust the export logic in dataTable to call the controller/action and not the actual API method

@mattab
Copy link
Member

mattab commented May 27, 2016

Can somebody see any possible security breach in activating cookie auth for API requests?

fyi Our API used to work in this way (cookie auth fallback to token_auth auth) but it was actually confusing and was changed to pure token auth.

What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters.

This could work. Also alternatively maybe we could POST the token_auth in the request as we do for Export download links?

@mattab mattab added this to the 2.16.x (LTS) milestone May 27, 2016
@tsteur
Copy link
Member

tsteur commented May 27, 2016

That doesn't work with right click etc

@mattab
Copy link
Member

mattab commented May 27, 2016

Ok then +1 to proxy such requests through a controller while the user is logged in the UI. this should work well 👍

@sgiehl
Copy link
Member

sgiehl commented May 27, 2016 via email

@sgiehl sgiehl mentioned this issue May 31, 2016
Closed
@mattab mattab added PP and removed PP labels Jul 8, 2016
@mattab mattab changed the title Iframe buster not implemented in e-mail reports Iframe buster not implemented in reports Aug 3, 2016
@mattab mattab mentioned this issue Aug 23, 2016
Closed
@mattab mattab modified the milestones: 2.16.x (LTS), Mid term Aug 25, 2016
@tsteur tsteur mentioned this issue Sep 12, 2016
Closed
@mattab
Copy link
Member

mattab commented Jun 19, 2017

this was fixed long time ago in #10201 cc @sgiehl

@mattab mattab closed this as completed Jun 19, 2017
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Jun 19, 2017
@lindsaymacvean
Copy link

@mattab but you closed #10201 ??

@mattab
Copy link
Member

mattab commented Jul 24, 2017

May have closed this mistake

@mattab mattab reopened this Jul 24, 2017
@Findus23
Copy link
Member

Findus23 commented Feb 8, 2022

I think this changed anyway with Matomo 4, so if anyone still has this issue, please create a new issue (and maybe mention this one)

@Findus23 Findus23 closed this as completed Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
6 participants
@tsteur @mattab @lindsaymacvean @sgiehl @Findus23 @mgonera