Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #16057 #16058

Merged
merged 2 commits into from Jun 24, 2020
Merged

Fixes #16057 #16058

merged 2 commits into from Jun 24, 2020

Conversation

luismsgomes
Copy link
Contributor

Please see #16057 for details on what this commit is fixing.

tsteur
tsteur reviewed Jun 11, 2020
View reviewed changes
core/Nonce.php
$origins = array(
'http://' . $host,
'https://' . $host,
'http://' . $host . ':80',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @luismsgomes

btw always adding these ports not sure if it's a good idea or has any side effects. Wonder if we could remove the two lines that always add :80 and :443 assuming that your $host is like https://somedomain.org:443

What is Url::getCurrentHost(null); returning for you?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

The main motivation for this PR was exactly that :80 and :443 were missing from the list of urls.
The url returned by Url::getCurrentHost(null); contains https:// and :443 in my case.

Cheers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luismsgomes added few suggestions to prevent we're regressing here on anything.

Basically could even use the logic completely but only change the if (!empty($port) && $port != 80 && $port != 443) { to if (!empty($port)) {

Basically.... if no port is configured, maybe we don't want to add 80 and 443. I think this be still fine for your case. It might be fine to add it just not sure and while it's not needed be good to maybe not add it automatically

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, my last reply was incorrect: getCurrentHost() returns only the hostname, no scheme and no port in my case.
The function getOrigin() does return the scheme and the port.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see 👍 I'll undo my suggestions. @Findus23 I reckon it be fine to also allow the port as we can assume if no port is returned it is running on either port 80 or 443? Maybe if SSL is forced ([General]force_ssl=1), then we would not return the URL with port 80?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe if SSL is forced ([General]force_ssl=1), then we would not return the URL with port 80?

Yes, that makes sense.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luismsgomes can you make that change or do you need help with this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

tsteur
tsteur requested changes Jun 14, 2020
View reviewed changes
core/Nonce.php
$origins = array(
'http://' . $host,
'https://' . $host,
'http://' . $host . ':80',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luismsgomes added few suggestions to prevent we're regressing here on anything.

Basically could even use the logic completely but only change the if (!empty($port) && $port != 80 && $port != 443) { to if (!empty($port)) {

Basically.... if no port is configured, maybe we don't want to add 80 and 443. I think this be still fine for your case. It might be fine to add it just not sure and while it's not needed be good to maybe not add it automatically

@tsteur
Copy link
Member

tsteur commented Jun 16, 2020

Looks generally good to me. @Findus23 @sgiehl @diosmosis any other thoughts?

Generally thinking because there are some minor changes in there that could break something we might prefer to have this in Matomo 4 and not Matomo 3 where we now only fix security issues and bigger bugs.

@luismsgomes
Copy link
Contributor Author

luismsgomes commented Jun 16, 2020 via email

@tsteur
Copy link
Member

tsteur commented Jun 16, 2020

@luismsgomes sorry about that. There will be only very few releases for 3.X in the future so it might be worth patching it in the worst case. Maybe we could think of a less "risky" version for 3.X where it doesn't change as much. Eg for the case where a port is defined like in https://github.com/matomo-org/matomo/pull/16058/files#diff-e3d1b64ec2cd9e138ad8d5c1a0d09a0eR140 we are now no longer returning the URLs without port. This could be causing trouble to other users maybe (as it's always hard to tell with these things)

@tsteur
Copy link
Member

tsteur commented Jun 24, 2020

@Findus23 can you think of any objections or do you reckon it should be fine?

@Findus23
Copy link
Member

I know little about how this part works, so I can't comment on it.

@diosmosis
Copy link
Member

@tsteur missed this issue, looks ok to me, Nonce::getAcceptableOrigins() is only used in Nonce so it won't affect anything else. I can't think of a problem w/ treating http://somesite.com & http://somesite.com:80 as equivalent. Might be good to add some tests to NonceTest.

@tsteur tsteur merged commit c8297e7 into matomo-org:3.x-dev Jun 24, 2020
@tsteur tsteur mentioned this pull request Jun 24, 2020
Merged
@tsteur tsteur added this to the 3.13.7 milestone Jun 24, 2020
@tsteur tsteur added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jun 24, 2020
tsteur added a commit that referenced this pull request Jun 24, 2020
@tsteur
Fix nonce tests in 3.x
5d7d351 
Forgot to commit file in #16110 which applies a fix from #16058
@tsteur tsteur mentioned this pull request Jun 24, 2020
Merged
tsteur added a commit that referenced this pull request Jun 24, 2020
@tsteur
Fix nonce tests in 3.x (#16111)
bc17e1e 
Forgot to commit file in #16110 which applies a fix from #16058
@luismsgomes luismsgomes deleted the 3.x-dev branch September 1, 2020 22:18
jonasgrilleres pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 22, 2020
@luismsgomes @jonasgrilleres
Fixes matomo-org#16057 (matomo-org#16058)
5479ae2 
* Fixes matomo-org#16057

* Don't return HTTP URLs is force_ssl is true.
jonasgrilleres pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 22, 2020
@tsteur @jonasgrilleres
Fix nonce tests in 3.x (matomo-org#16111)
8b9041c 
Forgot to commit file in matomo-org#16110 which applies a fix from matomo-org#16058
jbuget pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 26, 2020
@luismsgomes @jbuget
Fixes matomo-org#16057 (matomo-org#16058)
bda6efe 
* Fixes matomo-org#16057

* Don't return HTTP URLs is force_ssl is true.
jbuget pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 26, 2020
@tsteur @jbuget
Fix nonce tests in 3.x (matomo-org#16111)
f2ad461 
Forgot to commit file in matomo-org#16110 which applies a fix from matomo-org#16058
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur requested changes

Assignees
No one assigned
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.14.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@luismsgomes @tsteur @Findus23 @diosmosis