@diosmosis opened this Issue on March 15th 2018 Member

Currently, any part of Matomo (including core, core plugins, 3rd party plugins) can and do use the $_GET/$_POST variables directly, to either change the context in which other code runs (like changing the site/date), or to read query params directly.

This is not desirable, since it can lead to instances where $_GET has one value and $_POST has another. Or instances where reading it directly can bypass sanitization. Which can create odd, hard to diagnose bugs, or even potential security vulnerabilities.

To fix this, we should:

  • [ ] create some sort of service that parses $_GET/$_POST, and then sets the those superglobals to empty arrays (forcing code to go through the service or Common::getRequestVar instead of using the superglobals)
  • [ ] allow that service to have different query params "pushed" and "popped" (eg, changing idSite for some specific function call, then changing it back soon after)
  • [ ] maybe use an existing component to handle HTTP stuff (like symfony's http component)
  • [ ] remove all existing uses of $_GET/$_POST

Would have to be done for matomo 4.

Powered by GitHub Issue Mirror