When creating HTML reports in tmp/assets/ include a random string in the filename #13586
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
For users using Nginx or when .htaccess is disabled, it may be possible to guess the filenames and access HTML/PDF report data.
To prevent this issue we could for example introduce a random string in the filename, which would be removed when the file is being downloaded via the API.
This should not impact most users as they would use apache with .htaccess support, which would prevent direct file access.
The text was updated successfully, but these errors were encountered: