@hannob opened this Issue on February 3rd 2019

By sending a cookie with a special char one can trigger a PHP warning:

curl --cookie 'PHPSESSID=äöü' https://builds-artifacts.matomo.org

The PHP warning will be shown within the HTML output:

<b>Warning</b>:  SessionHandler::write(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in <b>/home/piwik-builds-artifacts/ui-tests-viewer/vendor/symfony/http-foundation/Session/Storage/Proxy/SessionHandlerProxy.php</b> on line <b>77</b><br />

It is generally recommended to never enable displaying PHP errors in production systems. While this warning is harmless, other error types can contain sensitive information like passwords.

@tsteur commented on February 3rd 2019 Member

Cheers, we changed it there.

This Issue was closed on February 3rd 2019
Powered by GitHub Issue Mirror