@katebutler opened this Pull Request on May 2nd 2019 Contributor

Fixes #12540

@Findus23 commented on May 2nd 2019 Member

Just FYI: As this only solves the CSRF-part of #12540 and not the unneeded-cookie-part I have created #14402 as a followup for that issue.

@tsteur commented on May 2nd 2019 Member

image

just tested it and actually didn't work for me. Instead seeing above error in chrome.

In https://github.com/matomo-org/matomo/blob/3.10.0-b1/plugins/CoreAdminHome/javascripts/optOut.js#L6-L7 it actually does a GET request to the form action. You would think the form does a regular post but it opens the <form action=""> URL in a new window totally ignoring the hidden nonce input field etc.

That's why previously the nonce was before added in the redirect URL and caused the CSRF problem.

To fix it, we need to add the nonce to the form action url in https://github.com/matomo-org/matomo/blob/3.10.0-b1/plugins/CoreAdminHome/OptOutManager.php#L195-L200 . It should be totally fine to send the nonce through GET parameter.

@tsteur commented on May 2nd 2019 Member
@tsteur commented on May 3rd 2019 Member

Works 👍

This Pull Request was closed on May 3rd 2019
Powered by GitHub Issue Mirror