@tsteur opened this Issue on June 12th 2017 Member

To prevent issues like https://github.com/piwik/plugin-CustomDimensions/issues/62

I would say the current way of sanitizing all input is rather an anti pattern and causes lots of bugs.

We need to check if we can remove this behaviour. Problem is that some functionality may not work anymore 100% and we need to make sure that all values are properly escaped when using them to not run into any security issues after removing it. This will be lots of work and need to see if we can manage this in Piwik 4.

@sgiehl commented on June 12th 2017 Member

Maybe we could also try to make that step by step... we currently use Common::getRequestVar() to get anything from the request object. We could introduce a new method directly returning the original request value (not sanitized) and start using that new method everywhere. So we could already deprecate the Common::getRequestVar() and remove it in Piwik 4 completely

@tsteur commented on June 12th 2017 Member

That's a great idea! For API there is likely not a workaround possible for now. We could do something crazy and allow underscores like $_id which would equal $id but unsanitized and later simply switch it the other way around in Piwik 4 but not sure if it's a good idea or not. Be definitely good to do this step by step to avoid a big refactoring and big PR that takes ages

@sgiehl commented on June 12th 2017 Member

not sure if we are using request vars with an underscore anywhere else than here, but that likely might cause problems when using such a "magic" thing. So maybe introducing a new method might be easier, but not sure re naming

@tsteur commented on June 12th 2017 Member

Sorry I meant API parameters, not in getRequestVar. Any API parameter is automatically sanitized. For getRequestVar we should definitely use new method.

Powered by GitHub Issue Mirror