Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When creating HTML reports in tmp/assets/ include a random string in the filename #13586

Closed
mattab opened this issue Oct 11, 2018 · 0 comments · Fixed by #13607
Closed

When creating HTML reports in tmp/assets/ include a random string in the filename #13586

mattab opened this issue Oct 11, 2018 · 0 comments · Fixed by #13607
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Oct 11, 2018

For users using Nginx or when .htaccess is disabled, it may be possible to guess the filenames and access HTML/PDF report data.

To prevent this issue we could for example introduce a random string in the filename, which would be removed when the file is being downloaded via the API.

This should not impact most users as they would use apache with .htaccess support, which would prevent direct file access.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Oct 11, 2018
@mattab mattab added this to the 3.7.0 milestone Oct 11, 2018
@tsteur tsteur self-assigned this Oct 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants