Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit GeoIP downloads to certain hosts only #17097

Merged
merged 3 commits into from Jan 19, 2021
Merged

Limit GeoIP downloads to certain hosts only #17097

merged 3 commits into from Jan 19, 2021

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Jan 15, 2021

Description:

It's currently possible to configure any url for downloading GeoIP databases from. Even though this option can be only changed by a super user and only if the GeoIP admin is enabled, limiting those options to only trusted hosts makes Matomo a little more secure. If someone needs to use the autoupdater to download files from somewhere else he can simply adjust the config.

For now the check is only done when setting the downloader option. Not sure if we should check that directly before download as well. Didn't add that yet, to prevent failures after a Matomo update if someone already has configured something else.

Review

  • Functional review done
  • Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • Security review done see checklist
  • Code review done
  • Tests were added if useful/possible
  • Reviewed for breaking changes
  • Developer changelog updated if needed
  • Documentation added if needed
  • Existing documentation updated if needed

@sgiehl sgiehl added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review labels Jan 15, 2021
@sgiehl sgiehl added this to the 4.2.0 milestone Jan 15, 2021
@Findus23
Copy link
Member

It would be nice if the error message displayed to the user was translatable and would explain a bit more detailed what they need to do to fix it (or link to an FAQ entry).

@sgiehl
Copy link
Member Author

sgiehl commented Jan 15, 2021

@Findus23 good point. I've just improved the messages and made them translatable

diosmosis
diosmosis requested changes Jan 17, 2021
View reviewed changes
Copy link
Member

@diosmosis diosmosis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

found one issue, otherwise code looks good

plugins/GeoIp2/GeoIP2AutoUpdater.php Outdated Show resolved Hide resolved
plugins/GeoIp2/tests/Unit/GeoIP2AutoUpdaterTest.php Outdated Show resolved Hide resolved
@sgiehl sgiehl requested a review from diosmosis January 18, 2021 09:46
@diosmosis diosmosis merged commit 1a05313 into 4.x-dev Jan 19, 2021
@diosmosis diosmosis deleted the geoipupdatehosts branch January 19, 2021 03:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diosmosis diosmosis Awaiting requested review from diosmosis

Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sgiehl @Findus23 @diosmosis