Prevent trigger errors on demand for instances that are opened to anonymous #13513
Comments
tsteur
added a commit
that referenced
this issue
Oct 4, 2018
diosmosis
pushed a commit
that referenced
this issue
Dec 4, 2018
sgiehl
pushed a commit
that referenced
this issue
Dec 6, 2018
diosmosis
pushed a commit
that referenced
this issue
Dec 8, 2018
* Add reports dimensions to metadata of report and rows * translate dimension columns * updates test files * fix possible error when no report is available * update tests * Improve subdimension detection * Adjust tests for labelX logic * Makes flattener compatible with 3 dimensions * Adds new method getThirdLeveltableDimension to report class * Do not ask for 2fa authentication code when CoreUpdater is being requested (#13796) Could fix an edge case where user is logged in, but hasn't confirmed the auth code (so the user is not actually logged in), and then an update appears. * Added Fallback Method for Alexa in SEO Plugin (#13552) * added fallback method for Alexa, fixes issue #13427 * do not use short array syntax for consistency with other methods * use mini link for Alexa, use DomXPath to filter out the global ranking instead of regex * Use db sessions by default, deprecate file session handler (#13540) * use db sessions by default, deprecate file session handler * trying to fix tests * Prevent trigger errors on demand for instances that are opened to anonymous (#13535) fix #13513 * Remove the previous exception in base validator so the same error is not printed twice (#13801) * Fixing build (#13802) * update submodule * Update screenshots and try to get test to pass. * Get SingleMetricView to pass. (#13803) * Quickform2 throws warnings with PHP7.2 (#13463) fixes #13272 Haven't actually tested it but should fix the issue. If tests pass, the logic would be still the same. I don't have a PHP 7.2 running here otherwise at the moment * Send bulk requests in chunks when needed (#13444) * send bulk requests in chunks * send requests correctly * Make log and report data screen less technical (#13464) * When you are logged out, the URL gets lost when you log in (#13441) It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages. To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue. fix #13328 * show full information of URL only on extra click (#13585) * Add option to opt in to use send beacon (#13451) * Add option to opt in to use send beacon * Fix JS tracker test. * do not overrwite existing subrow metadata * update test files
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using a specially crafted URL, and if the Matomo instance is opened to anonymous, one can trigger error requests on demand.
URL: /index.php?module=Widgetize&action=iframe&moduleToWidgetize=CorePluginsAdmin&actionToWidgetize=safemode&idSite=1&period=week&date=yesterday&error_message=X&error_file=Y&error_line=111
Let's solve this so that it is not possible to trigger an error on demand (ie. prevent widgetise the safemode screen)
The text was updated successfully, but these errors were encountered: