Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Before installing a new plugin (via Marketplace or direct upload), ask again Super User password #13581

Closed
mattab opened this issue Oct 11, 2018 · 4 comments · Fixed by #14387
Closed

Before installing a new plugin (via Marketplace or direct upload), ask again Super User password #13581

mattab opened this issue Oct 11, 2018 · 4 comments · Fixed by #14387
Assignees
@katebutler
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
3.10.0

Comments

@mattab
Copy link
Member

mattab commented Oct 11, 2018

Before installing a new plugin (via Marketplace or direct upload), we should ask again the Super User to enter their password. Since a plugin can easily lead to RCE it is important to ensure that a Logged-in browser cannot be used to install custom plugins.

Similar to #2932
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Oct 11, 2018
@tsteur
Copy link
Member

tsteur commented Oct 23, 2018

The feature to ask for password first will be also need in two factor authentication (#13325) and couple other features. So be good to build a general popover for this or screen or ... if possible

@tsteur
Copy link
Member

tsteur commented Oct 30, 2018

FYI: Developed this as part of #13325 . It'll be pretty much as easy as doing this in the controller:

 $this->passwordVerify->requirePasswordVerifiedRecently(array('module' => 'TwoFactorAuth', 'action' => 'disableTwoFactorAuth', 'nonce' => $nonce);

It is not in a popup though. To be seen if it can be reused there or not.

@mattab mattab added this to the 3.10.0 milestone Dec 24, 2018
@tsteur
Copy link
Member

tsteur commented Apr 22, 2019

FYI: Similar change was recently done here: https://github.com/matomo-org/matomo/pull/13342/files

@tsteur
Copy link
Member

tsteur commented Apr 22, 2019
edited

For the install plugin page we can use in the installPlugin controller ...

  $params = array('module' => 'CorePluginsAdmin', 'action' => 'installPlugin', 'nonce' => $nonce);
        if ($this->passwordVerify->requirePasswordVerifiedRecently($params)) {
  // ... install plugin
        }

In the upload plugin popover, we need to add a new form field for the password and validate in the uploadPlugin controller using PasswordVerifier::isPasswordCorrect().

@katebutler katebutler self-assigned this Apr 23, 2019
@katebutler katebutler mentioned this issue Apr 29, 2019
Merged
@mattab mattab modified the milestones: 3.11.0, 3.10.0 May 28, 2019
@mattab mattab added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jun 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@katebutler katebutler

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.10.0
Development

Successfully merging a pull request may close this issue.

Require password confirmation before installing plugins matomo-org/matomo
3 participants
@tsteur @mattab @katebutler