Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate use of $_GET/$_POST so query parameters are not in an inconsistent state #12620

Open
4 tasks
diosmosis opened this issue Mar 15, 2018 · 0 comments
Open
4 tasks

Deprecate use of $_GET/$_POST so query parameters are not in an inconsistent state #12620

diosmosis opened this issue Mar 15, 2018 · 0 comments
Labels
c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
For Prioritization

Comments

@diosmosis
Copy link
Member

diosmosis commented Mar 15, 2018
edited

Currently, any part of Matomo (including core, core plugins, 3rd party plugins) can and do use the $_GET/$_POST variables directly, to either change the context in which other code runs (like changing the site/date), or to read query params directly.

This is not desirable, since it can lead to instances where $_GET has one value and $_POST has another. Or instances where reading it directly can bypass sanitization. Which can create odd, hard to diagnose bugs, or even potential security vulnerabilities.

To fix this, we should:

  • create some sort of service that parses $_GET/$_POST, and then sets the those superglobals to empty arrays (forcing code to go through the service or Common::getRequestVar instead of using the superglobals)
  • allow that service to have different query params "pushed" and "popped" (eg, changing idSite for some specific function call, then changing it back soon after)
  • maybe use an existing component to handle HTTP stuff (like symfony's http component)
  • remove all existing uses of $_GET/$_POST

Would have to be done for matomo 4.
@diosmosis diosmosis added this to the 4.0.0 milestone Mar 15, 2018
@mattab mattab removed this from the 4.0.0 milestone Feb 20, 2020
@mattab mattab added the c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. label Feb 20, 2020
@michalkleiner michalkleiner mentioned this issue Mar 8, 2024
Closed
@michalkleiner michalkleiner added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Platform For Matomo platform changes that aren't impacting any of our APIs but improve the core itself. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
For Prioritization
Development

No branches or pull requests
4 participants
@diosmosis @michalkleiner @mattab @innocraft-automation